diff options
Diffstat (limited to 'pki/base/setup')
-rw-r--r-- | pki/base/setup/LICENSE | 311 | ||||
-rw-r--r-- | pki/base/setup/build.xml | 293 | ||||
-rw-r--r-- | pki/base/setup/config/product.xml | 305 | ||||
-rw-r--r-- | pki/base/setup/config/release.xml | 86 | ||||
-rwxr-xr-x | pki/base/setup/pkicommon | 2150 | ||||
-rwxr-xr-x | pki/base/setup/pkicreate | 2939 | ||||
-rwxr-xr-x | pki/base/setup/pkihost | 157 | ||||
-rwxr-xr-x | pki/base/setup/pkiremove | 419 |
8 files changed, 6660 insertions, 0 deletions
diff --git a/pki/base/setup/LICENSE b/pki/base/setup/LICENSE new file mode 100644 index 000000000..e36f2269a --- /dev/null +++ b/pki/base/setup/LICENSE @@ -0,0 +1,311 @@ +This Program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published +by the Free Software Foundation; version 2 of the License. + +This Program is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +for more details. + +You should have received a copy of the GNU General Public License +along with this Program; if not, write to the Free Software +Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. + +In addition, as a special exception, Red Hat, Inc. gives You the additional +right to link the code of this Program with code not covered under the GNU +General Public License ("Non-GPL Code") and to distribute linked combinations +including the two, subject to the limitations in this paragraph. Non-GPL +Code permitted under this exception must only link to the code of this +Program through those well defined interfaces identified in the file named +EXCEPTION found in the source code files (the "Approved Interfaces"). + +The files of Non-GPL Code may instantiate templates or use macros or inline +functions from the Approved Interfaces without causing the resulting work to +be covered by the GNU General Public License. Only Red Hat, Inc. may make +changes or additions to the list of Approved Interfaces. You must obey the +GNU General Public License in all respects for all of the Program code and +other code used in conjunction with the Program except the Non-GPL Code +covered by this exception. If you modify this file, you may extend this +exception to your version of the file, but you are not obligated to do so. +If you do not wish to provide this exception without modification, you must +delete this exception statement from your version and license this file +solely under the GPL without exception. + + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. diff --git a/pki/base/setup/build.xml b/pki/base/setup/build.xml new file mode 100644 index 000000000..60b66a065 --- /dev/null +++ b/pki/base/setup/build.xml @@ -0,0 +1,293 @@ +<!-- ### BEGIN COPYRIGHT BLOCK ### + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + + Copyright (C) 2007 Red Hat, Inc. + All rights reserved. + ### END COPYRIGHT BLOCK ### --> +<project name="setup" default="main" basedir="."> + + <import file="config/product.xml"/> + <import file="config/product-ext.xml" optional="true"/> + + + <target name="clean" + depends="" + description="--> remove component directories"> + <echo message="${begin.clean.log.message}"/> + <delete dir="${dist.base}"/> + <delete dir="${build.dir}"/> + <echo message="${end.clean.log.message}"/> + </target> + + + <target name="download" + depends="" + description="--> download dependent components"> + <echo message="${begin.download.log.message}"/> + <echo message="${empty.download.log.message}"/> + <echo message="${end.download.log.message}"/> + </target> + + + <target name="compile_java" + depends="" + description="--> compile java source code into classes"> + <echo message="${begin.compile.java.log.message}"/> + <echo message="${empty.compile.java.log.message}"/> + <echo message="${end.compile.java.log.message}"/> + </target> + + + <target name="build_jars" + depends="compile_java" + description="--> generate jar files"> + <echo message="${begin.build.jars.log.message}"/> + <echo message="${empty.build.jars.log.message}"/> + <echo message="${end.build.jars.log.message}"/> + </target> + + + <target name="build_jni_headers" + depends="compile_java" + description="--> generate jni header files"> + <echo message="${begin.build.jni.headers.log.message}"/> + <echo message="${empty.build.jni.headers.log.message}"/> + <echo message="${end.build.jni.headers.log.message}"/> + </target> + + + <target name="build" + depends="build_jars,build_jni_headers" + description="--> build classes, jars, and jni headers"> + <echo message="${notify.build.log.message}"/> + </target> + + + <target name="compile_junit_tests" + depends="build" + description="--> compile junit test source code"> + <echo message="${begin.compile.junit.tests.log.message}"/> + <echo message="${empty.compile.junit.tests.log.message}"/> + <echo message="${end.compile.junit.tests.log.message}"/> + </target> + + + <target name="run_junit_tests" + depends="compile_junit_tests" + description="--> execute junit tests"> + <echo message="${begin.run.junit.tests.log.message}"/> + <echo message="${empty.run.junit.tests.log.message}"/> + <echo message="${end.run.junit.tests.log.message}"/> + </target> + + + <target name="verify" + depends="run_junit_tests" + description="--> build and execute junit tests"> + <echo message="${notify.verify.log.message}"/> + </target> + + + <target name="clean_javadocs" + depends="" + description="--> remove javadocs directory"> + <echo message="${begin.clean.javadocs.log.message}"/> + <echo message="${empty.clean.javadocs.log.message}"/> + <echo message="${end.clean.javadocs.log.message}"/> + </target> + + + <target name="compose_javadocs" + depends="build" + description="--> generate javadocs"> + <echo message="${begin.compose.javadocs.log.message}"/> + <echo message="${empty.compose.javadocs.log.message}"/> + <echo message="${end.compose.javadocs.log.message}"/> + </target> + + + <target name="document" + depends="clean_javadocs,compose_javadocs" + description="--> remove old javadocs and compose new javadocs"> + <echo message="${notify.document.log.message}"/> + </target> + + + <target name="distribute_binaries" + depends="document" + description="--> create the zip and gzipped tar binary distributions"> + <echo message="${begin.distribute.binaries.log.message}"/> + <mkdir dir="${dist.base.binaries}"/> + + <echo message="${begin.binary.wrappers.log.message}"/> + <echo message="${empty.binary.wrappers.log.message}"/> + <echo message="${end.binary.wrappers.log.message}"/> + + <echo message="${begin.binary.zip.log.message}"/> + <zip destfile="${dist.base.binaries}/${dist.name}.zip"> + <zipfileset dir="." + filemode="755" + prefix="usr/bin"> + <include name="pkihost"/> + <include name="pkicreate"/> + <include name="pkiremove"/> + </zipfileset> + <zipfileset dir="." + filemode="755" + prefix="usr/share/${product.prefix}/scripts"> + <include name="pkicommon"/> + </zipfileset> + <zipfileset dir="." + filemode="755" + prefix="usr/share/doc/${dist.name}"> + <include name="LICENSE"/> + </zipfileset> + </zip> + <echo message="${end.binary.zip.log.message}"/> + + <echo message="${begin.binary.tar.log.message}"/> + <tar longfile="gnu" + destfile="${dist.base.binaries}/${dist.name}.tar"> + <tarfileset dir="." + mode="755" + prefix="${dist.name}/usr/bin"> + <include name="pkihost"/> + <include name="pkicreate"/> + <include name="pkiremove"/> + </tarfileset> + <tarfileset dir="." + mode="755" + prefix="${dist.name}/usr/share/${product.prefix}/scripts"> + <include name="pkicommon"/> + </tarfileset> + <tarfileset dir="." + mode="755" + prefix="${dist.name}/usr/share/doc/${dist.name}"> + <include name="LICENSE"/> + </tarfileset> + </tar> + <echo message="${end.binary.tar.log.message}"/> + + <echo message="${begin.binary.gtar.log.message}"/> + <gzip destfile="${dist.base.binaries}/${dist.name}.tar.gz" + src="${dist.base.binaries}/${dist.name}.tar"/> + <delete file="${dist.base.binaries}/${dist.name}.tar"/> + <delete dir="${dist.name}"/> + <checksum fileext=".md5"> + <fileset dir="${dist.base.binaries}/"> + <include name="**/*"/> + <exclude name="**/*.asc"/> + <exclude name="**/*.md5"/> + </fileset> + </checksum> + <checksum fileext=".sha1" + algorithm="SHA"> + <fileset dir="${dist.base.binaries}/"> + <include name="**/*"/> + <exclude name="**/*.asc"/> + <exclude name="**/*.md5"/> + </fileset> + </checksum> + <echo message="${end.binary.gtar.log.message}"/> + + <echo message="${end.distribute.binaries.log.message}"/> + </target> + + + <target name="distribute_source" + depends="" + description="--> create the zip and gzipped tar source distributions"> + <echo message="${begin.distribute.source.log.message}"/> + <mkdir dir="${dist.base.source}"/> + + <echo message="${begin.source.zip.log.message}"/> + <zip destfile="${dist.base.source}/${src.dist.name}.zip"> + <zipfileset dir="." + filemode="755" + prefix="${src.dist.name}"> + <include name="${specfile}"/> + <include name="LICENSE"/> + <include name="build.xml"/> + <include name="config/product*.xml"/> + <include name="config/release*.xml"/> + <include name="pkicreate"/> + <include name="pkicommon"/> + <include name="pkihost"/> + <include name="pkiremove"/> + <include name="release"/> + </zipfileset> + </zip> + <echo message="${end.source.zip.log.message}"/> + + <echo message="${begin.source.tar.log.message}"/> + <tar longfile="gnu" + destfile="${dist.base.source}/${src.dist.name}.tar"> + <tarfileset dir="." + mode="755" + prefix="${src.dist.name}"> + <include name="${specfile}"/> + <include name="LICENSE"/> + <include name="build.xml"/> + <include name="config/product*.xml"/> + <include name="config/release*.xml"/> + <include name="pkicreate"/> + <include name="pkicommon"/> + <include name="pkihost"/> + <include name="pkiremove"/> + <include name="release"/> + </tarfileset> + </tar> + <echo message="${end.source.tar.log.message}"/> + + <echo message="${begin.source.gtar.log.message}"/> + <gzip destfile="${dist.base.source}/${src.dist.name}.tar.gz" + src="${dist.base.source}/${src.dist.name}.tar"/> + <delete file="${dist.base.source}/${src.dist.name}.tar"/> + <delete dir="${dist.name}"/> + <checksum fileext=".md5"> + <fileset dir="${dist.base.source}/"> + <include name="**/*"/> + <exclude name="**/*.asc"/> + <exclude name="**/*.md5"/> + </fileset> + </checksum> + <checksum fileext=".sha1" + algorithm="SHA"> + <fileset dir="${dist.base.source}/"> + <include name="**/*"/> + <exclude name="**/*.asc"/> + <exclude name="**/*.md5"/> + </fileset> + </checksum> + <echo message="${end.source.gtar.log.message}"/> + + <echo message="${end.distribute.source.log.message}"/> + </target> + + + <target name="distribute" + depends="distribute_binaries,distribute_source" + description="--> create binary and source component distributions"> + <echo message="${notify.distribute.log.message}"/> + </target> + + + <target name="main" + depends="clean,distribute" + description="--> clean, build, verify, document, distribute [default]"> + <echo message="${notify.main.log.message}"/> + </target> + +</project> + diff --git a/pki/base/setup/config/product.xml b/pki/base/setup/config/product.xml new file mode 100644 index 000000000..33caf48ed --- /dev/null +++ b/pki/base/setup/config/product.xml @@ -0,0 +1,305 @@ +<!-- ### BEGIN COPYRIGHT BLOCK ### + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + + Copyright (C) 2007 Red Hat, Inc. + All rights reserved. + ### END COPYRIGHT BLOCK ### --> +<project name="product.xml" default="main" basedir="."> + + <!-- Set up properties based upon the user's default Ant configuration --> + <property file=".ant.properties"/> + <property file="${user.home}/.ant.properties"/> + <property environment="env"/> + + + <!-- Check for required properties passed-in via the build scripts --> + <fail message="The '-Dspecfile=SPECFILE' property MUST always be specified!" + unless="specfile"/> + + + <!-- Set up optional properties passed-in via the build scripts --> + <property name="basedir" value=""/> + <property name="dirsec" value=""/> + <property name="target" value=""/> + + + <!-- Set up properties obtained from the spec file --> + <exec executable="perl" + failonerror="true" + outputproperty="Name"> + <arg value="-ne"/> + <arg value="print $1 if /%define base_product\s+(.*)/"/> + <arg value="${specfile}"/> + </exec> + + <exec executable="perl" + failonerror="true" + outputproperty="spec.product.ui.prefix"> + <arg value="-ne"/> + <arg value="print $1 if /%define base_ui_prefix\s+(\S+)/"/> + <arg value="${specfile}"/> + </exec> + + <exec executable="perl" + failonerror="true" + outputproperty="product.prefix"> + <arg value="-ne"/> + <arg value="print $1 if /%define base_prefix\s+(\S+)/"/> + <arg value="${specfile}"/> + </exec> + + <exec executable="perl" + failonerror="true" + outputproperty="product"> + <arg value="-ne"/> + <arg value="print $1 if /%define base_component\s+(\S+)/"/> + <arg value="${specfile}"/> + </exec> + + <!-- if "spec.product.ui.prefix" is "" or "linux", --> + <!-- set "product.ui.prefix" to ""; otherwise --> + <!-- set "product.ui.prefix" to "spec.product.ui.prefix" --> + <condition property="product.ui.prefix" + value="" + else="${spec.product.ui.prefix}"> + <or> + <equals arg1="${spec.product.ui.prefix}" + arg2=""/> + <equals arg1="${spec.product.ui.prefix}" + arg2="linux"/> + </or> + </condition> + + <!-- "product.name" is of the form "x-y-z" --> + <condition property="product.name" + value="${product.ui.prefix}-${product.prefix}-${product}"> + <not> + <equals arg1="${product.ui.prefix}" + arg2=""/> + </not> + </condition> + + <!-- "product.name" is of the form "x-y" --> + <condition property="product.name" + value="${product.prefix}-${product}"> + <and> + <equals arg1="${product.ui.prefix}" + arg2=""/> + <not> + <equals arg1="${product.prefix}" + arg2=""/> + </not> + </and> + </condition> + + <!-- "product.name" is of the form "x" --> + <condition property="product.name" + value="${product}"> + <and> + <equals arg1="${product.ui.prefix}" + arg2=""/> + <equals arg1="${product.prefix}" + arg2=""/> + </and> + </condition> + + <exec executable="perl" + failonerror="true" + outputproperty="version"> + <arg value="-ne"/> + <arg value="print $1 if /%define base_version\s+(\S+)/"/> + <arg value="${specfile}"/> + </exec> + + + <!-- Set up architecture-dependent properties --> + <exec executable="uname" + failonerror="true" + outputproperty="arch"> + <arg line="-i"/> + </exec> + + <!-- Set up architecture-independent properties --> + <property name="jar.home" value="/usr/share/java"/> + <property name="pki-jar.home" value="${jar.home}/${product.prefix}"/> + <property name="jni-jar.home" value="/usr/lib/java"/> + + <!-- Set up properties that control various build options --> + <property name="debug" value="true"/> + <property name="chmod.fail" value="true"/> + <property name="chmod.maxparallel" value="250"/> + <property name="deprecation" value="false"/> + <property name="optimize" value="true"/> + + + <!-- Set up properties related to the source tree --> + <property name="docs.dir" value="docs"/> + <property name="lib.dir" value="lib"/> + <property name="src.dir" value="src"/> + <property name="test.dir" value="test"/> + <property name="etc.dir" value="${src.dir}/etc"/> + <property name="script.dir" value="${src.dir}/script"/> + + + <!-- Set up properties for the release area --> + <property name="release.root" value="."/> + + + <!-- Set up properties for the build area --> + <property name="build.dir" value="build"/> + <property name="bootstrap.dir" value="bootstrap"/> + <property name="build.jars" value="${build.dir}/jars"/> + <property name="build.classes" value="${build.dir}/classes"/> + <property name="build.lib" value="${build.dir}/lib"/> + <property name="build.javadocs" value="${build.dir}/javadocs"/> + <property name="build.tests" value="${build.dir}/testcases"/> + <property name="build.tests.javadocs" value="${build.dir}/javadocs.test/"/> + <property name="manifest.tmp" value="${build.dir}/optional.manifest"/> + + + <!-- Set up properties for the distribution area --> + <property name="dist.name" value="${product.name}-${version}"/> + <property name="dist.base" value="dist"/> + <property name="dist.base.source" value="${dist.base}/source"/> + <property name="dist.base.binaries" value="${dist.base}/binary"/> + <property name="dist.dir" value="dist"/> + <property name="dist.bin" value="${dist.dir}/bin"/> + <property name="dist.lib" value="${dist.dir}/lib"/> + <property name="dist.docs" value="${dist.dir}/docs"/> + <property name="dist.etc" value="${dist.dir}/etc"/> + <property name="src.dist.name" value="${product.name}-${version}"/> + <property name="src.dist.dir" value="dist-src"/> + <property name="src.dist.src" value="${src.dist.dir}/src"/> + <property name="src.dist.docs" value="${src.dist.dir}/docs"/> + <property name="src.dist.lib" value="${src.dist.dir}/lib"/> + + + <!-- Set up properties for log messages --> + <property name="begin.clean.log.message" + value="Removing '${product.name}' component directories ..."/> + <property name="empty.clean.log.message" + value="Nothing to do!"/> + <property name="end.clean.log.message" + value="Completed removing '${product.name}' component directories."/> + <property name="begin.download.log.message" + value="Downloading '${product.name}' dependent components ..."/> + <property name="empty.download.log.message" + value="Nothing to do!"/> + <property name="end.download.log.message" + value="Completed downloading '${product.name}' dependent components."/> + <property name="begin.compile.java.log.message" + value="Compiling '${product.name}' java code from '${src.dir}' into '${build.classes}' ..."/> + <property name="empty.compile.java.log.message" + value="Nothing to do!"/> + <property name="end.compile.java.log.message" + value="Completed compiling '${product.name}' java code from '${src.dir}' into '${build.classes}'."/> + <property name="begin.build.jars.log.message" + value="Generating '${product.name}' jar files ..."/> + <property name="empty.build.jars.log.message" + value="Nothing to do!"/> + <property name="end.build.jars.log.message" + value="Completed generating '${product.name}' jar files."/> + <property name="begin.build.jni.headers.log.message" + value="Generating '${product.name}' java header files ..."/> + <property name="empty.build.jni.headers.log.message" + value="Nothing to do!"/> + <property name="end.build.jni.headers.log.message" + value="Completed generating '${product.name}' java header files."/> + <property name="notify.build.log.message" + value="Built classes, jars, and jni headers for the '${product.name}' component."/> + <property name="begin.compile.junit.tests.log.message" + value="Compiling '${product.name}' junit tests from '${test.dir}' into '${build.tests}' ..."/> + <property name="empty.compile.junit.tests.log.message" + value="Nothing to do!"/> + <property name="end.compile.junit.tests.log.message" + value="Completed compiling '${product.name}' junit tests from '${test.dir}' into '${build.tests}'."/> + <property name="begin.run.junit.tests.log.message" + value="Executing '${product.name}' tests ..."/> + <property name="empty.run.junit.tests.log.message" + value="Nothing to do!"/> + <property name="end.run.junit.tests.log.message" + value="Completed executing '${product.name}' tests."/> + <property name="notify.verify.log.message" + value="Verified the '${product.name}' component."/> + <property name="begin.clean.javadocs.log.message" + value="Removing '${product.name}' javadocs directory ..."/> + <property name="empty.clean.javadocs.log.message" + value="Nothing to do!"/> + <property name="end.clean.javadocs.log.message" + value="Completed removing '${product.name}' javadocs directory."/> + <property name="begin.compose.javadocs.log.message" + value="Composing '${product.name}' javadocs ..."/> + <property name="empty.compose.javadocs.log.message" + value="Nothing to do!"/> + <property name="end.compose.javadocs.log.message" + value="Completed composing '${product.name}' javadocs."/> + <property name="notify.document.log.message" + value="Documented '${product.name}' javadocs."/> + <property name="begin.distribute.binaries.log.message" + value="Creating '${product.name}' binary distributions ..."/> + <property name="begin.binary.wrappers.log.message" + value=" Creating '${product.name}' binary wrappers ..."/> + <property name="empty.binary.wrappers.log.message" + value=" Nothing to do!"/> + <property name="end.binary.wrappers.log.message" + value=" Completed creating '${product.name}' binary wrappers."/> + <property name="begin.binary.zip.log.message" + value=" Creating '${product.name}' binary zip files ..."/> + <property name="empty.binary.zip.log.message" + value=" Nothing to do!"/> + <property name="end.binary.zip.log.message" + value=" Completed creating '${product.name}' binary zip files."/> + <property name="begin.binary.tar.log.message" + value=" Creating '${product.name}' binary tar files ..."/> + <property name="empty.binary.tar.log.message" + value=" Nothing to do!"/> + <property name="end.binary.tar.log.message" + value=" Completed creating '${product.name}' binary tar files."/> + <property name="begin.binary.gtar.log.message" + value=" Creating '${product.name}' binary gzip files ..."/> + <property name="empty.binary.gtar.log.message" + value=" Nothing to do!"/> + <property name="end.binary.gtar.log.message" + value=" Completed creating '${product.name}' binary gzip files."/> + <property name="end.distribute.binaries.log.message" + value="Completed creating '${product.name}' binary distributions."/> + <property name="begin.distribute.source.log.message" + value="Creating '${product.name}' source distributions ..."/> + <property name="begin.source.zip.log.message" + value=" Creating '${product.name}' source zip files ..."/> + <property name="empty.source.zip.log.message" + value=" Nothing to do!"/> + <property name="end.source.zip.log.message" + value=" Completed creating '${product.name}' source zip files."/> + <property name="begin.source.tar.log.message" + value=" Creating '${product.name}' source tar files ..."/> + <property name="empty.source.tar.log.message" + value=" Nothing to do!"/> + <property name="end.source.tar.log.message" + value=" Completed creating '${product.name}' source tar files."/> + <property name="begin.source.gtar.log.message" + value=" Creating '${product.name}' source gzip files ..."/> + <property name="empty.source.gtar.log.message" + value=" Nothing to do!"/> + <property name="end.source.gtar.log.message" + value=" Completed creating '${product.name}' source gzip files."/> + <property name="end.distribute.source.log.message" + value="Completed creating '${product.name}' source distributions."/> + <property name="notify.distribute.log.message" + value="Distributed '${product.name}' distribution packages."/> + <property name="notify.main.log.message" + value="Built, verified, documented, and distributed a fresh '${product.name}' component."/> + +</project> + diff --git a/pki/base/setup/config/release.xml b/pki/base/setup/config/release.xml new file mode 100644 index 000000000..fc43aaeb7 --- /dev/null +++ b/pki/base/setup/config/release.xml @@ -0,0 +1,86 @@ +<!-- ### BEGIN COPYRIGHT BLOCK ### + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + + Copyright (C) 2007 Red Hat, Inc. + All rights reserved. + ### END COPYRIGHT BLOCK ### --> +<project name="release.xml" default="main" basedir="${basedir}"> + + <echo message="Importing shared properties ..."/> + <import file="product.xml"/> + <import file="product-ext.xml" optional="true"/> + <import file="release-ext.xml" optional="true"/> + <echo message="Completed importing shared properties."/> + + + <target name="local" + depends="" + description="--> Generate this target locally"> + <echo message="Generating the '${product.name}' target locally ..."/> + <exec executable="ant" dir="${release.root}"> + <arg value="-Dspecfile=${product.name}.spec"/> + <arg value="-Ddirsec=${dirsec}"/> + <arg value="${target}"/> + </exec> + <echo message="Completed generating the '${product.name}' target locally."/> + </target> + + + <target name="main" + depends="" + description="--> Generate component RPMS and SRPMS"> + <echo message="Generating '${product.name}' RPMS and SRPMS ..."/> + + <exec executable="pwd" + failonerror="true" + outputproperty="top.dir"/> + <echo message="Established the '${top.dir}' top-level directory."/> + + <echo message="Creating the '${product.name}' source distribution ..."/> + <exec executable="ant" + dir="${release.root}"> + <arg value="-Dspecfile=${product.name}.spec"/> + <arg value="-Ddirsec=${dirsec}"/> + <arg value="distribute_source"/> + </exec> + <echo message="Completed creating the '${product.name}' source distribution."/> + + <echo message="Creating '${product.name}' RPM directories ..."/> + <mkdir dir="${release.root}/dist/rpmpkg"/> + <mkdir dir="${release.root}/dist/rpmpkg/SOURCES"/> + <mkdir dir="${release.root}/dist/rpmpkg/RPMS"/> + <mkdir dir="${release.root}/dist/rpmpkg/SRPMS"/> + <mkdir dir="${release.root}/dist/rpmpkg/SPECS"/> + <mkdir dir="${release.root}/dist/rpmpkg/BUILD"/> + <echo message="Completed creating '${product.name}' RPM directories."/> + + <echo message="Building '${product.name}' RPMS and SRPMS ..."/> + <exec executable="rpmbuild" + dir="${release.root}"> + <arg value="--define"/> + <arg value="_topdir ${top.dir}/${release.root}/dist/rpmpkg"/> + <arg value="-ta"/> + <arg value="${top.dir}/${release.root}/dist/source/${product.name}-${version}.tar.gz"/> + </exec> + <echo message="Completed building '${product.name}' RPMS and SRPMS."/> + + <echo message="Removing various '${product.name}' RPM directories and files ..."/> + <delete dir="${release.root}/dist/rpmpkg/BUILD"/> + <echo message="Completed removing various '${product.name}' RPM directories and files."/> + + <echo message="Completed generating '${product.name}' RPMS and SRPMS."/> + </target> + +</project> + diff --git a/pki/base/setup/pkicommon b/pki/base/setup/pkicommon new file mode 100755 index 000000000..e5913c12b --- /dev/null +++ b/pki/base/setup/pkicommon @@ -0,0 +1,2150 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# + +############################################################## +# This file contains shared data and subroutines for +# the "pkicreate" and "pkiremove" Perl scripts. +############################################################## + + +############################################################## +# Perl Version +############################################################## + +my $MINIMUM_PERL_VERSION = "5.006001"; + +my $perl_version_error_message = "ERROR: Using Perl version $] ...\n" + . " Must use Perl version " + . "$MINIMUM_PERL_VERSION or later to " + . "run this script!\n"; + +die "$perl_version_error_message" if $] < $MINIMUM_PERL_VERSION; + + +############################################################## +# Execution Check +############################################################## + +# Check to insure that this script's original +# invocation directory has not been deleted! +my $cwd = `/bin/pwd`; +chomp $cwd; +if( "$cwd" eq "" ) { + print( STDERR "Cannot invoke '$0' from non-existent directory!\n" ); + print( STDOUT "\n" ); + exit 255; +} + + +############################################################## +# Environment Variables +############################################################## + +# untaint called subroutines +if( ( $^O ne 'Windows_NT' ) && ( $^O ne 'MSWin32' ) ) { + $> = $<; # set effective user ID to real UID + $) = $(; # set effective group ID to real GID + $ENV{ 'PATH' } = '/bin:/usr/bin'; + $ENV{ 'ENV' } = '' if $ENV{ 'ENV' } ne ''; +} + + +############################################################## +# Perl Modules +############################################################## + +# "File/Copy.pm", "FileHandle.pm", "Getopt/Long.pm", +# "Socket.pm", and "Sys/Long.pm" are all part of the +# standard Perl library and should therefore always be +# available +use File::Copy; +use FileHandle; +use Getopt::Long; +use Socket; +use Sys::Hostname; + + +############################################################## +# Shared Default Values +############################################################## + +$default_hardware_platform = ""; +$default_system_binaries = ""; +$default_system_libraries = ""; +$default_system_user_binaries = ""; +$default_system_user_libraries = ""; +$default_system_jni_java_path = ""; +$default_security_libraries = ""; +$default_certutil_command = ""; +$default_ldapmodify_command = ""; +$default_modutil_command = ""; + +# Compute "hardware platform" of Operating System +$default_hardware_platform = `pkiarch`; +$default_hardware_platform =~ s/\s+$//g; +chomp( $default_hardware_platform ); +if( $^O eq "linux" ) { + if( $default_hardware_platform eq "i386" ) { + # 32-bit Linux + $default_system_binaries = "/bin"; + $default_system_libraries = "/lib"; + $default_system_user_binaries = "/usr/bin"; + $default_system_user_libraries = "/usr/lib"; + $default_system_jni_java_path = "/usr/lib/java"; + } elsif( $default_hardware_platform eq "x86_64" ) { + # 64-bit Linux + $default_system_binaries = "/bin"; + $default_system_libraries = "/lib64"; + $default_system_user_binaries = "/usr/bin"; + $default_system_user_libraries = "/usr/lib64"; + $default_system_jni_java_path = "/usr/lib/java"; + } else { + print( STDERR + "ERROR: Unsupported '$^O' hardware platform " + . "'$default_hardware_platform'!\n" ); + print( "\n" ); + exit 255; + } +} elsif( $^O eq "solaris" ) { + if( $default_hardware_platform eq "sparc" ) { + # 32-bit Solaris + $default_system_binaries = "/bin"; + $default_system_libraries = "/lib"; + $default_system_user_binaries = "/usr/bin"; + $default_system_user_libraries = "/usr/lib"; + $default_system_jni_java_path = "/usr/lib/java"; + } elsif( $default_hardware_platform eq "sparcv9" ) { + # 64-bit Solaris + $default_system_binaries = "/bin"; + $default_system_libraries = "/lib/sparcv9"; + $default_system_user_binaries = "/usr/bin"; + $default_system_user_libraries = "/usr/lib/sparcv9"; + $default_system_jni_java_path = "/usr/lib/java"; + } else { + print( STDERR + "ERROR: Unsupported '$^O' hardware platform " + . "'$default_hardware_platform'!\n" ); + print( "\n" ); + exit 255; + } +} else { + print( STDERR + "ERROR: Unsupported platform '$^O'!\n" ); + print( "\n" ); + exit 255; +} + + +$default_security_libraries = "$default_system_user_libraries/dirsec"; + +$default_certutil_command = "$default_system_user_binaries/certutil"; +$default_ldapmodify_command = "$default_system_user_libraries/" + . "mozldap/ldapmodify"; +$default_modutil_command = "$default_system_user_binaries/modutil"; + + +############################################################## +# Global Constants +############################################################## + +$ROOTUID = 0; + +$MAX_WELL_KNOWN_PORT = 511; # well-known ports = 0 through 511 +$MAX_RESERVED_PORT = 1023; # reserved ports = 512 through 1023 +$MAX_REGISTERED_PORT = 49151; # registered ports = 1024 through 49151 +$MAX_DYNAMIC_PORT = 65535; # dynamic/private ports = 49152 through 65535 + +$FILE_PREFIX = "file://"; +$FTP_PREFIX = "ftp://"; +$HTTP_PREFIX = "http://"; +$HTTPS_PREFIX = "https://"; +$LDAP_PREFIX = "ldap://"; +$LDAPS_PREFIX = "ldaps://"; + + +############################################################## +# Global Variables +############################################################## + +# Platform-dependent parameters +$lib_prefix = ""; +$obj_ext = ""; +$path_sep = ""; +$tmp_dir = ""; + +# Retrieve hostname using Sys::Hostname +$hostname = hostname; + +# "logging" parameters +$logfile = ""; + +# Whether or not to do verbose mode +$verbose = 0; + + +############################################################## +# Local Variables +############################################################## + +# "identity" parameters +my $fqdn = ""; + +# "time" parameters +my $sec = 0; +my $min = 0; +my $hour = 0; +my $mday = 0; +my $mon = 0; +my $year = 0; +my $wday = 0; +my $yday = 0; +my $isdst = 0; + +# "logging" parameters +my $logfd = new FileHandle; + + +############################################################## +# Generic "platform" Subroutines +############################################################## + +# no args +# return 1 - true, or +# return 0 - false +sub is_Windows() +{ + if( ( $^O eq "Windows_NT" ) || ( $^O eq "MSWin32" ) ) { + return 1; + } + + return 0; +} + + +# no args +# return 1 - true, or +# return 0 - false +sub is_Linux() +{ + if( $^O eq "linux" ) { + return 1; + } + + return 0; +} + + +# no args +# return 1 - true, or +# return 0 - false +sub is_Fedora() +{ + if( is_Linux() && (-e "/etc/fedora-release") ) { + return 1; + } + + return 0; +} + + +# no args +# return 1 - true, or +# return 0 - false +sub is_RHEL() { + if( (! is_Fedora()) && (-e "/etc/redhat-release") ) { + return 1; + } + + return 0; +} + + +# no args +# return 1 - true, or +# return 0 - false +sub is_RHEL4() { + if( is_RHEL() ) { + my $releasefd = new FileHandle; + if( $releasefd->open("< /etc/redhat-release")) { + while( defined($line = <$releasefd>) ) { + if($line =~ /4/) { + return 1; + } + } + } + } + + return 0; +} + + +# no args +# no return value +sub setup_platform_dependent_parameters() +{ + # Setup path separators, et. al., based upon platform + if( is_Windows() ) { + $lib_prefix = ""; + $obj_ext = ".dll"; + $path_sep = ";"; + $tmp_dir = "c:\\temp"; + } elsif( $^O eq "hpux" ) { + $lib_prefix = "lib"; + $obj_ext = ".sl"; + $path_sep = ":"; + $tmp_dir = "/tmp"; + } else { + $lib_prefix = "lib"; + $obj_ext = ".so"; + $path_sep = ":"; + $tmp_dir = "/tmp"; + } + + return; +} + + +# arg0 Library Path +# no return value +sub set_library_path +{ + my( $path ) = @_; + + if( is_Windows() ) { + $ENV{PATH} = $path; + } elsif( $^O eq "hpux" ) { + $ENV{SHLIB_PATH} = $path; + } else { + $ENV{LD_LIBRARY_PATH} = $path; + } + + return; +} + + +# no args +# return Library Path Environment variable +sub get_library_path +{ + if( is_Windows() ) { + return $ENV{PATH}; + } elsif( $^O eq "hpux" ) { + return $ENV{SHLIB_PATH}; + } else { + return $ENV{LD_LIBRARY_PATH}; + } +} + + +############################################################## +# Generic "identity" Subroutines +############################################################## + +# no args +# return 1 - success, or +# return 0 - failure +sub check_for_root_UID() +{ + my $result = 0; + + # On Linux/UNIX, insure that this script is being run as "root"; + # First check the "Real" UID, and then check the "Effective" UID. + if( !is_Windows() ) { + if( ( $< != $ROOTUID ) && + ( $> != $ROOTUID ) ) { + print( STDERR + "ERROR: This script must be run as root!\n" ); + print( STDOUT "\n" ); + $result = 0; + } else { + # Success -- running script as root + $result = 1; + } + } else { + print( STDERR + "ERROR: Root UID makes no sense on Windows machines!\n" ); + print( STDOUT "\n" ); + $result = 0; + } + + return $result; +} + + +# arg0 username +# return 1 - exists, or +# return 0 - DOES NOT exist +sub user_exists +{ + my( $username ) = $_[0]; + + my $result = 0; + + my $uid = getpwnam( $username ); + + if( $uid ne "" ) { + $result = 1; + } + + return $result; +} + + +# arg0 groupname +# return 1 - exists, or +# return 0 - DOES NOT exist +sub group_exists +{ + my( $groupname ) = $_[0]; + + my $result = 0; + + my $gid = getgrnam( $groupname ); + + if( $gid ne "" ) { + $result = 1; + } + + return $result; +} + + +# arg0 username +# arg1 groupname +# return 1 - is a member, or +# return 0 - is NOT a member +sub user_is_a_member_of_group +{ + my( $username ) = $_[0]; + my( $groupname ) = $_[1]; + + my $result = 0; + + if( !user_exists( $username ) ) { + return $result; + } + + if( !group_exists( $groupname ) ) { + return $result; + } + + my( $name, $passwd, $gid, $members ) = getgrnam( $groupname ); + + my $groupuser = $members =~ m/$username/; + + if( $groupuser >= 1 ) { + $result = 1; + } + + return $result; +} + + +# arg0 username +# return UID, or +# return (-1) - user is not in password file +sub get_UID_from_username +{ + my( $user ) = @_; + + my $my_username; + my $my_passwd; + my $my_uid; + + ( $my_username, $my_passwd, $my_uid ) = getpwnam( $user ); + + if( $my_username ne "" ) { + # return UID (0 implies root user) + return $my_uid; + } else { + # username '$user' is NOT in the password file + return ( -1 ); + } +} + + +# arg0 hostname, or +# arg0 IP address +# return fully-qualified domain name (FQDN) +sub get_FQDN +{ + if( $_[0] !~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/ ) { + # Retrieve FQDN via a "mnemonic" hostname + ( $fqdn ) = gethostbyname( $_[0] ); + } else { + # Retrieve FQDN via a "4-tuple" IP address + $fqdn = gethostbyaddr( pack( 'C4', $1, $2, $3, $4 ), 2 ); + } + + return( $fqdn ); +} + + +############################################################## +# Generic "availability" Subroutines +############################################################## + +# arg0 URL prefix +# return 1 - URL prefix is known (success) +# return 0 - URL prefix is unknown (failure) +sub check_for_valid_url_prefix +{ + my( $url_prefix ) = @_; + + if( ( "$url_prefix" eq $FILE_PREFIX ) || + ( "$url_prefix" eq $FTP_PREFIX ) || + ( "$url_prefix" eq $HTTP_PREFIX ) || + ( "$url_prefix" eq $HTTPS_PREFIX ) || + ( "$url_prefix" eq $LDAP_PREFIX ) || + ( "$url_prefix" eq $LDAPS_PREFIX ) ) { + return 1; + } + + return 0; +} + + +# arg0 username +# arg1 port +# return 1 - port is available (success) +# return 0 - port is unavailable; report an error (failure) +sub IsLocalPortAvailable +{ + # parse parameters + my ( $user, $port ) = @_; + + # On Linux/UNIX, check well-known/reserved ports + if( !is_Windows() ) { + my $uid = -1; + + # retrieve the UID given the username + $uid = get_UID_from_username( $user ); + if( $uid == -1 ) { + print( "\n" ); + print( STDERR + "User '$user' is NOT in the password file!\n" ); + print( "\n" ); + return 0; + } + + # insure that well-known ports cannot be used by a non-root user + if( ( $port <= $MAX_WELL_KNOWN_PORT ) && ( $uid != $ROOTUID ) ) { + print( "\n" ); + print( STDERR + "ERROR: User '$user' is not allowed to bind to well-known " + . "port $port!\n" ); + print( "\n" ); + return 0; + } + + # insure that reserved ports cannot be used by a non-root user + if( ( $port <= $MAX_RESERVED_PORT ) && ( $uid != $ROOTUID ) ) { + print( "\n" ); + print( STDERR + "ERROR: User '$user' is not allowed to bind to reserved " + . "port $port!\n" ); + print( "\n" ); + return 0; + } + + # insure that the user has not specified a port greater than + # the number of dynamic/private ports + if( $port > $MAX_DYNAMIC_PORT ) { + print( "\n" ); + print( STDERR + "ERROR: User '$user' is not allowed to bind to a " + . "port greater than $MAX_DYNAMIC_PORT!\n" ); + print( "\n" ); + return 0; + } + + # if the user has specified a port greater than the number + # of registered ports, issue a warning and continue + if( $port > $MAX_REGISTERED_PORT ) { + print( "\n" ); + print( STDERR + "WARNING: User '$user' is binding to port $port; use of " + . "a dynamic/private port is discouraged!\n" ); + print( "\n" ); + } + } + + # initialize local variables + my $rv = 0; + my $status = "AVAILABLE"; + + # make a local TCP server socket + my $proto = getprotobyname( 'tcp' ); + socket( SERVER, PF_INET, SOCK_STREAM, $proto ); + + # create a local server socket address + my $server_address = sockaddr_in( $port, INADDR_ANY ); + + # attempt to bind this local server socket + # to this local server socket address + bind( SERVER, $server_address ) or $status = $!; + + # identify the status of this attempt to bind + if( $status eq "AVAILABLE" ) { + # this port is inactive + $rv = 1; + } elsif( $status eq "Address already in use" ) { + print( "\n" ); + print( STDERR + "ERROR: Unable to bind to local port $port : $status\n" ); + print( "\n" ); + $rv = 0; + } else { + print( "\n" ); + print( STDERR + "ERROR: Unable to bind to local port $port : $status\n" ); + print( "\n" ); + $rv = 0; + } + + # close local server socket + close( SERVER ); + + # return result + return $rv; +} + + +# arg0 HTTP or LDAP prefix +# arg1 host +# arg2 port +# return 2 - warn that server is unreachable (continue) +# return 1 - server is reachable (success) +# return 0 - server is unreachable; report an error (failure) +sub IsServerReachable +{ + # parse parameters + my( $prefix, $host, $port ) = @_; + + # check the validity of the prefix + my $result = 0; + + $result = check_for_valid_url_prefix( $prefix ); + if( !$result ) { + print( "\n" ); + print( STDERR + "ERROR: Specified unknown url prefix\n" + . " '$prefix'!\n" ); + print( "\n" ); + return $result; + } + + # create a URL from the passed-in parameters + my $url = $prefix . "$host" . ":" . "$port"; + + # initialize the state of the Server referred to by this URL + my $rv = 0; + my $status = "ACTIVE"; + + # retrieve the remote host IP address + my $iaddr = inet_aton( $host ) or $status = $!; + if( $status ne "ACTIVE" ) { + print( "\n" ); + print( STDERR + "ERROR: Unable to contact the Server at\n" + . " '$url' :\n" + . " $status\n" ); + print( "\n" ); + return $rv; + } + + # create a remote server socket address + my $server_address = sockaddr_in( $port, $iaddr ); + + # make a local TCP client socket + my $proto = getprotobyname( 'tcp' ); + socket( CLIENT, PF_INET, SOCK_STREAM, $proto ); + + # attempt to connect this local client socket + # to the remote server socket address + connect( CLIENT, $server_address ) or $status = $!; + + # identify the status of this connection + if( $status eq "ACTIVE" ) { + # this '$host:$port' is reachable + $rv = 1; + } else { + print( "\n" ); + print( STDERR + "WARNING: Unable to contact the Server at\n" + . " '$url' :\n" + . " $status\n" ); + print( "\n" ); + } + + # close local client socket + close( CLIENT ); + + # return result + return $rv; +} + + +############################################################## +# Generic "time" Subroutines +############################################################## + +# no args +# return time stamp +sub get_time_stamp() +{ + my $stamp = sprintf "%4d-%02d-%02d %02d:%02d:%02d", + $year+1900, $mon+1, $mday, $hour, $min, $sec; + + return $stamp; +} + + +############################################################## +# Generic "random" Subroutines +############################################################## + +# arg0 low watermark value +# arg1 high watermark value +# return random number +sub generate_random +{ + my $low = $_[0]; + my $high = $_[1]; + + my $number = 0; + + if( $low >= $high || $low < 0 || $high < 0 ) { + return -1; + } + + $number = int( rand( $high -$low +1 ) ) + $low; + + return $number; +} + + +# arg0 length of string +# return random string +sub generate_random_string() +{ + my $length_of_randomstring=shift; # the length of the string + + my @chars=( 'a'..'z','A'..'Z','0'..'9' ); + my $random_string; + + foreach( 1..$length_of_randomstring ) { + $random_string .= $chars[rand @chars]; + } + + return $random_string; +} + + +############################################################## +# Generic "password" Subroutines +############################################################## + +# arg0 password +# return 1 - success +# return 0 - failure; report an error +sub password_quality_checker +{ + my( $password ) = @_; + + # Test #1: $password MUST be > 8 characters + if( length( $password ) < 8 ) { + print( "\n" ); + print( "Password entered is less than 8 characters. Try again.\n" ); + return 0; + } + + + # Test #2: $password MUST contain at least one non-alphabetic character + my @alphabet = ( "A", "B", "C", "D", "E", "F", "G", "H", "I", "J", + "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", + "U", "V", "W", "X", "Y", "Z", "a", "b", "c", "d", + "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", + "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", + "y", "z" ); + + my $non_alphabetic_characters = 0; + for( $i = 0; $i < length( $password ); $i++ ) { + # always reset character type + my $found_alphabetic_character = 0; + + # extract the next character from the $password + my $character = substr( $password, $i, 1 ); + + # check to see if this character is "alphabetic" + for $letter (@alphabet) { + if( $character eq $letter ) { + $found_alphabetic_character = 1; + last; + } + } + + # keep a count of "non-alphabetic" characters + if( $found_alphabetic_character == 0 ) { + $non_alphabetic_characters++; + } + } + + # pass Test #2 if the $password contains any "non-alphabetic" characters + if( $non_alphabetic_characters > 0 ) { + return 1; + } else { + print( "\n" ); + print( "Password entered contains 0 non-alphabetic characters. " + . "Try again.\n" ); + return 0; + } +} + + +############################################################## +# Generic "LDAP" Subroutines +############################################################## + +# arg0 tokendb hostname - LDAP server name or IP address (default: localhost) +# arg1 tokendb port - LDAP server TCP port number (default: 389) +# arg2 tokendb password - bind passwd (for simple authentication) +# arg3 tokendb file - read modifications from file (default: standard input) +# no return value +sub LDAP_add +{ + my( $tokendb_hostname, $tokendb_port, $tokendb_password, $file ) = @_; + + my $command = ""; + + my $original_library_path = get_library_path(); + + set_library_path( $default_security_libraries . $path_sep + . $default_system_user_libraries . $path_sep + . $default_system_libraries . $path_sep + . $original_library_path ); + + $command = "$default_ldapmodify_command " + . "-h '$tokendb_hostname' " + . "-p '$tokendb_port' " + . "-D 'cn=directory manager' " + . "-w '$tokendb_password' " + . "-a " + . "-f '$file'"; + + system( "$command" ); + + set_library_path( $original_library_path ); + + return; +} + + +# arg0 tokendb hostname - LDAP server name or IP address (default: localhost) +# arg1 tokendb port - LDAP server TCP port number (default: 389) +# arg2 tokendb password - bind passwd (for simple authentication) +# arg3 tokendb file - read modifications from file (default: standard input) +# no return value +sub LDAP_modify +{ + my( $tokendb_hostname, $tokendb_port, $tokendb_password, $file ) = @_; + + my $command = ""; + + my $original_library_path = get_library_path(); + + set_library_path( $default_security_libraries . $path_sep + . $default_system_user_libraries . $path_sep + . $default_system_libraries . $path_sep + . $original_library_path ); + + $command = "$default_ldapmodify_command " + . "-h '$tokendb_hostname' " + . "-p '$tokendb_port' " + . "-D 'cn=directory manager' " + . "-w '$tokendb_password' " + . "-f '$file'"; + + system( "$command" ); + + set_library_path( $original_library_path ); + + return; +} + + +############################################################## +# Generic "Security Databases" Subroutines +############################################################## + +# arg0 instance path - Security databases directory (default is ~/.netscape) +# arg1 password file - Specify the password file +# no return value +sub certutil_create_databases +{ + my( $instance_path, $pwdfile ) = @_; + + my $command = ""; + + my $original_library_path = get_library_path(); + + set_library_path( $default_security_libraries . $path_sep + . $default_system_user_libraries . $path_sep + . $default_system_libraries . $path_sep + . $original_library_path ); + + if( "$pwdfile" eq "" ) { + $command = "$default_certutil_command " + . "-N " + . "-d $instance_path"; + } else { + $command = "$default_certutil_command " + . "-N " + . "-d $instance_path " + . "-f $pwdfile"; + } + + system( "$command" ); + + set_library_path( $original_library_path ); + + return; +} + + +# arg0 instance path - Security databases directory (default is ~/.netscape) +# arg1 token - Name of token in which to look for cert (default is internal, +# use "all" to look for cert on all tokens) +# arg2 nickname - The nickname of the cert to delete +# no return value +sub certutil_delete_cert +{ + my( $instance_path, $token, $nickname ) = @_; + + my $command = ""; + + my $original_library_path = get_library_path(); + + set_library_path( $default_security_libraries . $path_sep + . $default_system_user_libraries . $path_sep + . $default_system_libraries . $path_sep + . $original_library_path ); + + $command = "$default_certutil_command " + . "-D " + . "-d $instance_path " + . "-h '$token' " + . "-n '$nickname'"; + + system( "$command" ); + + set_library_path( $original_library_path ); + + return; +} + + +# arg0 instance path - Security databases directory (default is ~/.netscape) +# arg1 token - Name of token in which to generate key (default is internal) +# arg2 subject - Specify the subject name (using RFC1485) +# arg3 password file - Specify the password file +# no return value +sub certutil_generate_CSR +{ + my( $instance_path, $token, $subject, $pwdfile ) = @_; + + my $command = ""; + + my $original_library_path = get_library_path(); + + set_library_path( $default_security_libraries . $path_sep + . $default_system_user_libraries . $path_sep + . $default_system_libraries . $path_sep + . $original_library_path ); + + if( "$pwdfile" eq "" ) { + $command = "$default_certutil_command " + . "-R " + . "-d $instance_path " + . "-h '$token' " + . "-s '$subject' " + . "-a"; + } else { + $command = "$default_certutil_command " + . "-R " + . "-d $instance_path " + . "-h '$token' " + . "-s '$subject' " + . "-a " + . "-f $pwdfile"; + } + + system( "$command" ); + + set_library_path( $original_library_path ); + + return; +} + + +# arg0 instance path - Security databases directory (default is ~/.netscape) +# arg1 token - Name of token in which to store the certificate +# (default is internal) +# arg2 serial number - Cert serial number +# arg3 validity period - Months valid (default is 3) +# arg4 subject - Specify the subject name (using RFC1485) +# arg5 issuer name - The nickname of the issuer cert +# arg6 nickname - Specify the nickname of the server certificate +# arg7 trust args - Set the certificate trust attributes: +# p valid peer +# P trusted peer (implies p) +# c valid CA +# T trusted CA to issue client certs (implies c) +# C trusted CA to issue server certs (implies c) +# u user cert +# w send warning +# g make step-up cert +# arg8 noise file - Specify the noise file to be used +# (to introduce randomness during key generation) +# arg9 password file - Specify the password file +# no return value +sub certutil_generate_self_signed_cert +{ + my( $instance_path, $token, $serial_number, $validity_period, + $subject, $issuer_name, $nickname, $trustargs, $noise_file, + $pwdfile ) = @_; + + my $command = ""; + + my $original_library_path = get_library_path(); + + set_library_path( $default_security_libraries . $path_sep + . $default_system_user_libraries . $path_sep + . $default_system_libraries . $path_sep + . $original_library_path ); + + if( "$pwdfile" eq "" ) { + $command = "$default_certutil_command " + . "-S " + . "-d $instance_path " + . "-h '$token' " + . "-m $serial_number " + . "-v $validity_period " + . "-x " + . "-s '$subject' " + . "-c '$issuer_name' " + . "-n '$nickname' " + . "-t '$trustargs' " + . "-z $noise_file " + . "> /dev/null " + . "2>&1"; + } else { + $command = "$default_certutil_command " + . "-S " + . "-d $instance_path " + . "-h '$token' " + . "-f $pwdfile " + . "-m $serial_number " + . "-v $validity_period " + . "-x " + . "-s '$subject' " + . "-c '$issuer_name' " + . "-n '$nickname' " + . "-t '$trustargs' " + . "-z $noise_file " + . "> /dev/null " + . "2>&1"; + } + + system( "$command" ); + + set_library_path( $original_library_path ); + + return; +} + + +# arg0 instance path - Security databases directory (default is ~/.netscape) +# arg1 token - Name of token in which to store the certificate +# (default is internal) +# arg2 nickname - Specify the nickname of the server certificate +# arg3 trust args - Set the certificate trust attributes: +# p valid peer +# P trusted peer (implies p) +# c valid CA +# T trusted CA to issue client certs (implies c) +# C trusted CA to issue server certs (implies c) +# u user cert +# w send warning +# g make step-up cert +# (e. g. - Server Cert 'u,u,u', CA Cert 'CT,CT,CT') +# arg4 cert - The certificate encoded in ASCII (RFC1113) +# no return value +sub certutil_import_cert +{ + my( $instance_path, $token, $nickname, $trustargs, $cert ) = @_; + + my $original_library_path = get_library_path(); + + set_library_path( $default_security_libraries . $path_sep + . $default_system_user_libraries . $path_sep + . $default_system_libraries . $path_sep + . $original_library_path ); + + open( F, + "|$default_certutil_command " + . "-A " + . "-d $instance_path " + . "-h '$token' " + . "-n '$nickname' " + . "-t '$trustargs' " + . "-a" ); + print( F $cert ); + close( F ); + + set_library_path( $original_library_path ); + + return; +} + + +# arg0 instance path - Security databases directory (default is ~/.netscape) +# arg1 token - Name of token in which to look for cert (default is internal, +# use "all" to look for cert on all tokens) +# arg2 nickname - Pretty print named cert (list all if unspecified) +# no return value +sub certutil_print_cert +{ + my( $instance_path, $token, $nickname ) = @_; + + my $command = ""; + + my $original_library_path = get_library_path(); + + set_library_path( $default_security_libraries . $path_sep + . $default_system_user_libraries . $path_sep + . $default_system_libraries . $path_sep + . $original_library_path ); + + if( $token ne "" ) { + # Raidzilla Bug #57616 - certutil is not being consistent, nickname + # requires token name for no reason. + $command = "$default_certutil_command " + . "-L " + . "-d $instance_path " + . "-h '$token' " + . "-n '$token:$nickname'"; + } else { + $command = "$default_certutil_command " + . "-L " + . "-d $instance_path " + . "-h '$token' " + . "-n '$nickname'"; + } + + system( "$command" ); + + set_library_path( $original_library_path ); + + return; +} + + +# no return value +# arg0 instance path - Security databases directory (default is ~/.netscape) +# arg1 token - Name of token in which to look for certs (default is internal, +# use "all" to list certs on all tokens) +sub certutil_list_certs +{ + my( $instance_path, $token ) = @_; + + my $command = ""; + + my $original_library_path = get_library_path(); + + set_library_path( $default_security_libraries . $path_sep + . $default_system_user_libraries . $path_sep + . $default_system_libraries . $path_sep + . $original_library_path ); + + $command = "$default_certutil_command " + . "-L " + . "-d $instance_path " + . "-h '$token'"; + + system( "$command" ); + + set_library_path( $original_library_path ); + + return; +} + + +# arg0 instance path - Security databases directory (default is ~/.netscape) +# arg1 token - Add the named token to the module database +# arg2 library - The name of the file (.so or .dll) containing the +# implementation of PKCS #11 +# no return value +sub modutil_add_token +{ + my( $instance_path, $token, $library ) = @_; + + my $command = ""; + + my $original_library_path = get_library_path(); + + set_library_path( $default_security_libraries . $path_sep + . $default_system_user_libraries . $path_sep + . $default_system_libraries . $path_sep + . $original_library_path ); + + $command = "$default_modutil_command " + . "-force " + . "-dbdir $instance_path " + . "-add $token " + . "-libfile $library " + . "-nocertdb"; + + system( "$command > /dev/null 2>&1" ); + + set_library_path( $original_library_path ); + + return; +} + + +############################################################## +# Generic "logging" Subroutines +############################################################## + +# arg0 logfile name +# no return value +sub open_logfile +{ + my $logfile_name = $_[0]; + + $logfd->open( ">$logfile_name" ) or + die "Could not open $logfile_name\n"; + + return; +} + + +# arg0 logfile name +# arg1 message +# no return value +sub print_to_logfile +{ + my $logfile_name = $_[0]; + my $message = $_[1]; + + if( "$logfile_name" ne "" ) { + $logfd->print( "$message" ); + } + + return; +} + + +# arg0 logfile name +# no return value +sub close_logfile +{ + my $logfile_name = $_[0]; + + if( "$logfile_name" ne "" ) { + $logfd->close(); + } + + return; +} + + +############################################################## +# Generic "response" Subroutines +############################################################## + +# arg0 question +# return answer +sub prompt +{ + my $promptStr = $_[0]; + + my $answer = ""; + + print( STDOUT "$promptStr " ); + + $| = 1; + $answer = <STDIN>; + + chomp $answer; + + print( STDOUT "\n" ); + + return $answer; +} + + +############################################################## +# Generic "reply" Subroutines +############################################################## + +# arg0 file handle +# no return value +sub printFile +{ + my $fileHandle = $_[0]; + + while( <$fileHandle> ) { + my $line = $_; + chomp( $line ); + print( STDOUT "$line\n" ); + } + + return; +} + + +# arg0 message +# arg1 message type +# no return value +sub emit +{ + my $string = $_[0]; + my $type = $_[1]; + + my $force_emit = 0; + my $log_entry = ""; + + if( $type eq "error" || $type eq "info" ) { + $force_emit = 1; + } + + if( $type eq "" ) { + $type = "debug"; + } + + if( $string eq "" ) { + return; + } + + ( $sec, $min, $hour, $mday, + $mon, $year, $wday, $yday, $isdst ) = localtime( time ); + + my $stamp = get_time_stamp(); + + if( $verbose || $force_emit ) { + # print to stdout + if( $type ne "log" ) { + print( STDOUT "[$stamp] [$type] $string" ); + } + } + + # If a log file exists, write all types + # ( "debug", "error", "info", or "log" ) + # to this specified log file + $log_entry = "[$stamp] [$type] $string"; + print_to_logfile( "$logfile", "$log_entry" ); + + return; +} + + +############################################################## +# Generic "validity" Subroutines +############################################################## + +# arg0 path +# return 1 - valid, or +# return 0 - invalid +sub is_path_valid +{ + my $path = $_[0]; + + my @pathname = split( "/", $path ); + + shift @pathname unless $pathname[0]; + + my $valid = 0; + my $split_path; + + foreach $split_path ( @pathname ) { + chomp( $split_path ); + + if( !( $split_path !~ /^[-_.a-zA-Z0-9\[\]]+$/ ) ) { + $valid = 1; + } else { + $valid = 0; + last; + } + } + + return $valid; +} + + +# arg0 name +# return 1 - valid, or +# return 0 - invalid +sub is_name_valid +{ + my $name = $_[0]; + + my $result = 0; + + if( !( $name !~ /^[-_.a-zA-Z0-9]+$/ ) ) { + $result = 1; + } + + return $result; +} + + +############################################################## +# Generic "entity" Subroutines +############################################################## + +# arg0 entity +# return type of entity +sub entity_type +{ + my( $entity ) = $_[0]; + + if( -b $entity ) { + return "block special file"; + } elsif( -c $entity ) { + return "character special file"; + } elsif( -d $entity ) { + return "directory"; + } elsif( -f $entity ) { + if( -B $entity ) { + return "binary file"; + } elsif( -T $entity ) { + return "text file"; + } else { + return "plain file"; + } + } elsif( -l $entity ) { + return "symbolic link"; + } elsif( -p $entity ) { + return "named pipe"; + } elsif( -S $entity ) { + return "socket"; + } + + return "UNKNOWN"; +} + + +# arg0 entity +# return 1 - exists, or +# return 0 - DOES NOT exist +sub entity_exists +{ + my( $entity ) = $_[0]; + + my $result = 0; + + if( -e $entity ) { + my $type = entity_type( $entity ); + $result = 1; + } + + return $result; +} + + +############################################################## +# Generic "file" Subroutines +############################################################## + +# arg0 file candidate +# return 1 - exists, or +# return 0 - DOES NOT exist +sub file_exists +{ + my( $file ) = $_[0]; + + my $result = 0; + + if( -f $file ) { + $result = 1; + } elsif( -e $file ) { + my $type = entity_type( $file ); + emit( "File $file DOES NOT exist because $file is a $type!\n", + "error" ); + $result = 0; + } + + + return $result; +} + + +# arg0 file +# return 1 - empty, or +# return 0 - NOT empty +sub is_file_empty +{ + my( $file ) = $_[0]; + + my $result = 0; + + if( -z $file ) { + $result = 1; + } + + return $result; +} + + +# arg0 file +# no return value +sub create_empty_file +{ + my( $file ) = @_; + + if( is_Windows() ) { + open( FILE, "> $file" ); + close( FILE ); + } else { + my $rv = 0; + + $rv = `touch $file`; + if( !$rv ) { + emit( "create_empty_file(): unable to create empty file called " + . "$file.\n", + "error" ); + } + } + + return; +} + + +# arg0 file +# arg1 message +# no return value +sub create_file +{ + my( $file, $message ) = @_; + + $command = ""; + + if( is_Windows() ) { + if( "$message" eq "" ) { + open( FILE, "> $file" ); + close( FILE ); + } else { + open( FILE, "> $file" ); + print( FILE "$message" ); + close( FILE ); + } + } else { + my $rv = 0; + + if( "$message" eq "" ) { + $rv = `touch $file`; + if( !$rv ) { + emit( "create_file(): unable to create empty file called " + . "$file.\n", + "error" ); + } + } else { + $command = "echo '$message' > $file"; + + system( "$command" ); + } + } + + return; +} + + +# arg0 file +# arg1 destination path +# return 1 - successfully moved file, or +# return 0 - failed moving file +sub move_file +{ + my( $file ) = $_[0]; + my( $dest ) = $_[1]; + + my $result = 0; + + if( !is_path_valid( $file ) ) { + emit( "move_file(): illegal source path => $file.\n", + "error" ); + return 0; + } + + if( !is_path_valid( $dest ) ) { + emit( "move_file(): illegal destination path => $dest.\n", + "error" ); + return 0; + } + + $result = `mv $file $dest`; + if( $result == 0 ) { + return 1; + } + + emit( "move_file(): failed moving file $file to $dest.\n", + "error" ); + + return 0; +} + + +# arg0 source path +# arg1 destination path +# return 1 - successfully copied file, or +# return 0 - failed copying file +sub copy_file +{ + my $source_path = $_[0]; + my $dest_path = $_[1]; + + my $result = 0; + + if( !is_path_valid( $source_path ) ) { + emit( "copy_file(): illegal source path => $source_path.\n", + "error" ); + return 0; + } + + if( !is_path_valid( $dest_path ) ) { + emit( "copy_file(): illegal destination path => $dest_path.\n", + "error" ); + return 0; + } + + $result = `cp -f $source_path $dest_path`; + if( $result == 0 ) { + return 1; + } + + emit( "copy_file(): failed copying file from $source_path to " + . "$dest_path.\n", + "error" ); + + return 0; +} + + +# arg0 file +# return 1 - successfully removed file, or +# return 0 - failed removing file +sub remove_file +{ + my( $file ) = $_[0]; + + my $result = 0; + + if( $file eq "" ) { + # file is NULL + return 1; + } + + if( !file_exists( $file ) ) { + return 1; + } + + $result = `rm -f $file`; + if( $result == 0 ) { + return 1; + } + + emit( "remove_file(): failed to remove file $file.\n", + "error" ); + + return 0; +} + + +# arg0 file +# arg1 user +# arg2 group +# return 1 - success, or +# return 0 - failure +sub give_file_to +{ + my $file = $_[0]; + my $new_user = $_[1]; + my $new_group = $_[2]; + + my $result = 0; + + if( $file eq "" || !file_exists( $file ) ) { + emit( "give_file_to(): invalid file specified.\n", + "error" ); + return 0; + } + + if( $new_user eq "" || $new_group eq "" ) { + emit( "give_file_to(): file $file needs a user and group!\n", + "error" ); + return 0; + } + + $result = `chgrp $new_group $file`; + if( $result ) { + emit( "give_file_to(): can't change file $file ownership to " + . "group $new_group!\n", + "error" ); + return 0; + } + + $result = `chown $new_user $file`; + if( $result ) { + emit( "give_file_to(): can't change file $file ownership to " + . "user $new_user!\n", + "error" ); + return 0; + } + + return 1; +} + + +############################################################## +# Generic "directory" Subroutines +############################################################## + +# arg0 directory candidate +# return 1 - exists, or +# return 0 - DOES NOT exist +sub directory_exists +{ + my( $dir ) = $_[0]; + + my $result = 0; + + if( -d $dir ) { + $result = 1; + } elsif( -e $dir ) { + my $type = entity_type( $dir ); + emit( "Directory $dir DOES NOT exist because $dir is a $type!\n", + "error" ); + $result = 0; + } + + return $result; +} + + +# arg0 directory +# return 1 - empty, or +# return 0 - NOT empty +sub is_directory_empty +{ + my $dir = $_[0]; + + my $empty = 1; + my $entity = ""; + + if( !directory_exists( $dir ) ) { + return 1; + } + + opendir( DIR, $dir ); + while( defined( $entity = readdir( DIR ) ) && ( $empty == 1 ) ) { + if( $entity ne "." && $entity ne ".." ) { + # NOTE: This is not necessarily an error! + # + # my $type = entity_type( "$dir/$entity" ); + # emit( " Found $type $entity in directory $dir.\n", + # "debug" ); + + $empty = 0; + } + } + closedir( DIR ); + + return $empty; +} + + +# arg0 directory +# return 1 - success, or +# return 0 - failure +sub create_directory +{ + my( $dir ) = $_[0]; + + my $result = 0; + + if( $dir eq "" ) { + # directory is NULL + # Just return success + return 1; + } + + $result = `mkdir -p $dir`; + if( $result == 0 ) { + return 1; + } + + emit( "create_directory(): failed creating directory $dir.\n", + "error" ); + + return 0; +} + + +# arg0 directory +# arg1 destination path +# return 1 - successfully moved directory, or +# return 0 - failed moving directory +sub move_directory +{ + my( $dir ) = $_[0]; + my( $dest ) = $_[1]; + + my $result = 0; + + if( !is_path_valid( $dir ) ) { + emit( "move_directory(): illegal source path => $dir.\n", + "error" ); + return 0; + } + + if( !is_path_valid( $dest ) ) { + emit( "move_directory(): illegal destination path => $dest.\n", + "error" ); + return 0; + } + + if( !directory_exists( $dest ) ) { + $result = create_directory( $dest ); + if( !$result ) { + emit( "move_directory(): failed moving dir $dir to new $dest.\n", + "error" ); + return 0; + } + } + + $result = `mv $dir $dest`; + if( $result == 0 ) { + return 1; + } + + emit( "move_directory(): failed moving dir $dir to $dest.\n", + "error" ); + + return 0; +} + + +# arg0 source directory +# arg1 destination path +# return 1 - successfully copied directory, or +# return 0 - failed copying directory +sub copy_directory +{ + my $source_dir_path = $_[0]; + my $dest_dir_path = $_[1]; + + my $result = 0; + + if( !is_path_valid( $source_dir_path ) ) { + emit( "copy_directory(): illegal source path => $source_dir_path.\n", + "error" ); + return 0; + } + + if( !is_path_valid( $dest_dir_path ) ) { + emit( "copy_directory(): illegal destination path => " + . "$dest_dir_path.\n", + "error" ); + return 0; + } + + if( !directory_exists( $source_dir_path ) ) { + # Take the case where this directory does not exist + # Just return true + return 1; + } + + if( !directory_exists( $dest_dir_path ) ) { + $result = create_directory( $dest_dir_path ); + if( !$result ) { + return 0; + } + } + + if( !is_directory_empty( $source_dir_path ) ) { + $result = `cp -fr $source_dir_path/* $dest_dir_path`; + } else { + $result = 0; + } + + # System call returns 0 on success. + if( $result == 0 ) { + return 1; + } + + emit( "copy_directory(): failed copying directory from $source_dir_path " + . "to $dest_dir_path.\n", + "error" ); + + return 0; +} + + +# arg0 directory +# return 1 - successfully removed directory, or +# return 0 - failed removing directory +sub remove_directory +{ + my( $dir ) = $_[0]; + + my $result = 0; + + if( !is_path_valid( $dir ) ) { + emit( "remove_directory(): specified invalid directory $dir.\n", + "error" ); + return 0; + } + + if( $dir eq "/" ) { + emit( "remove_directory(): don't even think about removing root!.\n", + "error" ); + return 0; + } + + if( !directory_exists( $dir ) ) { + return 1; + } + + $result = `rm -rf $dir`; + if( $result == 0 ) { + return 1; + } + + emit( "remove_directory(): failed to remove directory $dir.\n", + "error" ); + + return 0; +} + + +# arg0 directory +# arg1 user +# arg2 group +# return 1 - success, or +# return 0 - failure +sub give_directory_to +{ + my $directory = $_[0]; + my $new_user = $_[1]; + my $new_group = $_[2]; + + my $result = 0; + + if( $directory eq "" || !directory_exists( $directory ) ) { + emit( "give_directory_to(): invalid directory specified.\n", + "error" ); + return 0; + } + + if( $new_user eq "" || $new_group eq "" ) { + emit( "give_directory_to(): directory $directory needs a user " + . "and group!\n", + "error" ); + return 0; + } + + $result = `chgrp -R $new_group $directory`; + if( $result ) { + emit( "give_directory_to(): can't change directory $directory " + . "ownership to group $new_group!\n", + "error" ); + return 0; + } + + $result = `chown -R $new_user $directory`; + if( $result ) { + emit( "give_directory_to(): can't change directory $directory " + . "ownership to user $new_user!\n", + "error" ); + return 0; + } + + return 1; +} + + +############################################################## +# Generic "symbolic link" Subroutines +############################################################## + +# arg0 symbolic link candidate +# return 1 - exists, or +# return 0 - DOES NOT exist +sub symbolic_link_exists +{ + my( $symlink ) = $_[0]; + + my $result = 0; + + if( -l $symlink ) { + $result = 1; + } elsif( -e $symlink ) { + my $type = entity_type( $symlink ); + emit( "Symbolic link $symlink DOES NOT exist because $symlink " + . "is a $type!\n", + "error" ); + $result = 0; + } + + + return $result; +} + + +# arg0 symbolic link +# arg1 destination path +# return 1 - success, or +# return 0 - failure +sub create_symbolic_link +{ + my $symlink = $_[0]; + my $dest_path = $_[1]; + + my $result = 0; + + + if( symbolic_link_exists( $symlink ) ) { + # delete symbolic link so that we can recreate link for upgrades + $result = `rm -rf $symlink`; + if( !$result ) { + emit( "create_symbolic_link(): unable to delete original " + . "$symlink.\n", + "error" ); + return 0; + } + } + + if( !is_path_valid( $symlink ) ) { + emit( "create_symbolic_link(): invalid source path => $symlink.\n", + "error" ); + return 0; + } + + if( !is_path_valid( $dest_path ) || !entity_exists( $dest_path ) ) { + emit( "create_symbolic_link(): illegal destination path => " + . "$dest_path.\n", + "error" ); + return 0; + } + + $result = `ln -s $dest_path $symlink`; + if( $result == 0 ) { + return 1; + } + + emit( "create_symbolic_link(): failed creating symbolic link " + . "$symlink to destination directory $dest_path.\n", + "error" ); + + return 0; +} + + +# arg0 symbolic link +# return 1 - successfully removed symbolic link, or +# return 0 - failed removing symbolic link +sub remove_symbolic_link +{ + my( $symlink ) = $_[0]; + + my $result = 0; + + if( $symlink eq "" ) { + # symlink is NULL + return 1; + } + + if( !symbolic_link_exists( $symlink ) ) { + return 1; + } + + $result = `rm -f $symlink`; + if( $result == 0 ) { + return 1; + } + + emit( "remove_symbolic_link(): failed to remove symbolic_link " + . "$symlink.\n", + "error" ); + + return 0; +} + + +# arg0 file +# arg1 user +# arg2 group +# return 1 - success, or +# return 0 - failure +sub give_symbolic_link_to +{ + my $symlink = $_[0]; + my $new_user = $_[1]; + my $new_group = $_[2]; + + my $result = 0; + + if( $symlink eq "" || !symbolic_link_exists( $symlink ) ) { + emit( "give_symbolic_link_to(): invalid symbolic link specified.\n", + "error" ); + return 1; + } + + if( $new_user eq "" || $new_group eq "" ) { + emit( "give_symbolic_link_to(): symbolic link $symlink needs a " + . "user and group!\n", + "error" ); + return 0; + } + + $result = `chgrp -h $new_group $symlink`; + if( $result ) { + emit( "give_symbolic_link_to(): can't change symbolic link $symlink " + . "ownership to group $new_group!\n", + "error" ); + return 0; + } + + $result = `chown -h $new_user $symlink`; + if( $result ) { + emit( "give_symbolic_link_to(): can't change symbolic link $symlink " + . "ownership to user $new_user!\n", + "error" ); + return 0; + } + + return 1; +} + +1; + diff --git a/pki/base/setup/pkicreate b/pki/base/setup/pkicreate new file mode 100755 index 000000000..87439e3c1 --- /dev/null +++ b/pki/base/setup/pkicreate @@ -0,0 +1,2939 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# + +############################################################## +# This script is used to create a new instance of a +# subsystem within a PKI installation. +# +# Sample Invocation (for CA): +# +# ./pkicreate +# -pki_instance_root=/var/lib +# -pki_instance_name=pki-ca1 +# -subsystem_type=ca +# -secure_port=9543 +# -unsecure_port=9180 +# -tomcat_server_port=1801 +# -user=pkiuser +# -group=pkiuser +# -redirect conf=/export/pki/pki-ca1/conf +# -redirect logs=/export/pki/pki-ca1/logs +# -verbose +# +############################################################## + + +############################################################## +# Perl Version +############################################################## + +my $MINIMUM_PERL_VERSION = "5.006001"; + +my $perl_version_error_message = "ERROR: Using Perl version $] ...\n" + . " Must use Perl version " + . "$MINIMUM_PERL_VERSION or later to " + . "run this script!\n"; + +die "$perl_version_error_message" if $] < $MINIMUM_PERL_VERSION; + + +############################################################## +# Execution Check +############################################################## + +# Disallow 'others' the ability to 'write' to new files +umask 00002; + +# Check to insure that this script's original +# invocation directory has not been deleted! +my $cwd = `/bin/pwd`; +chomp $cwd; +if( "$cwd" eq "" ) { + print( STDERR "Cannot invoke '$0' from non-existent directory!\n" ); + print( STDOUT "\n" ); + exit 255; +} + + +############################################################## +# Environment Variables +############################################################## + +# option to not run this script. +if( defined( $ENV{ 'DONT_RUN_PKICREATE' } ) ) { + if( $ENV{ 'DONT_RUN_PKICREATE' } == 1 ) { + print( STDERR "Env. variable DONT_RUN_PKICREATE is set. Exiting.\n" ); + print( STDOUT "\n" ); + exit 0; + } +} + +# additional option to not run this script on Solaris +# (unfortunately, pkgadd doesn't process all environment variables) +if( $^O eq "solaris" ) { + if( -f "/tmp/DONT_RUN_PKICREATE" ) { + print( STDERR "File DONT_RUN_PKICREATE exists. Exiting.\n" ); + print( STDOUT "\n" ); + exit 0; + } +} + +# untaint called subroutines +if( ( $^O ne 'Windows_NT' ) && ( $^O ne 'MSWin32' ) ) { + $> = $<; # set effective user ID to real UID + $) = $(; # set effective group ID to real GID + $ENV{ 'PATH' } = '/bin:/usr/bin'; + $ENV{ 'ENV' } = '' if $ENV{ 'ENV' } ne ''; +} + + +############################################################## +# Command-Line Variables +############################################################## + +my $ARGS = ( $#ARGV + 1 ); + + +############################################################## +# Shared Common Perl Data and Subroutines +############################################################## + +# Compute "flavor" of Operating System +my $pki_flavor = ""; +if( $^O eq "linux" ) { + $pki_flavor = `pkiflavor`; +} elsif( $^O eq "solaris" ) { + $pki_flavor = `pkiflavor`; +} else { + print( STDERR + "ERROR: Unsupported platform '$^O'!\n" ); + print( STDOUT "\n" ); + exit 255; +} + +$pki_flavor =~ s/\s+$//g; + +# Establish path to scripts +my $pki_subsystem_common_area = "/usr/share/$pki_flavor"; +my $common_path = "/usr/share/pki/scripts"; + +if( ! -d "$common_path" ) { + print( STDERR + "ERROR: The path '$common_path' does not exist!\n" + . " Unable to load shared Common Perl Data " + . "and Subroutines!\n" ); + print( STDOUT "\n" ); + exit 255; +} + +if( ! -e "$common_path/pkicommon" ) { + print( STDERR + "ERROR: The file '$common_path/pkicommon' does not exist!\n" + . " Unable to load shared Common Perl Data " + . "and Subroutines!\n" ); + print( STDOUT "\n" ); + exit 255; +} + +eval( "use lib '" . $common_path . "'" ); +require( 'pkicommon' ); + +# make -w happy by suppressing warnings of Global variables used only once +my $suppress = ""; +$suppress = $hostname; +$suppress = $obj_ext; +$suppress = $tmp_dir; +$suppress = $default_security_libraries; +$suppress = $default_system_libraries; +$suppress = $lib_prefix; +$suppress = $default_system_user_binaries; + + +############################################################## +# Local Constants +############################################################## + +# Script used to complete setting up the PKI framework +my $pkicomplete = "$pki_subsystem_common_area/scripts/pkicomplete"; + +# Links created via initial "tomcat" installation that MUST be removed!!! +my $jdbc_stdext_link = "/var/lib/tomcat5/common/lib/\[jdbc-stdext\].jar"; +my $jndi_link = "/var/lib/tomcat5/common/lib/\[jndi\].jar"; +my $jaas_link = "/var/lib/tomcat5/server/lib/\[jaas\].jar"; + +# Subsystem names +my $CA = "ca"; +my $OCSP = "ocsp"; +my $KRA = "kra"; +my $TKS = "tks"; +my $RA = "ra"; +my $TPS = "tps"; + +# Base subsystem directory names +my $acl_base_subsystem_dir = "acl"; # CA, KRA, OCSP, TKS +my $alias_base_subsystem_dir = "alias"; # CA, KRA, OCSP, TKS, RA, TPS +my $applets_base_subsystem_dir = "applets"; # TPS +my $cgibin_base_subsystem_dir = "cgi-bin"; # TPS (Apache) +my $conf_base_subsystem_dir = "conf"; # CA, KRA, OCSP, TKS, RA, TPS +my $docroot_base_subsystem_dir = "docroot"; # RA, TPS (Apache) +my $emails_base_subsystem_dir = "emails"; # CA +my $etc_base_subsystem_dir = "etc"; # CA, KRA, OCSP, TKS, RA, TPS +my $lib_base_subsystem_dir = "lib"; # RA, TPS +my $logs_base_subsystem_dir = "logs"; # CA, KRA, OCSP, TKS, RA, TPS +my $profiles_base_subsystem_dir = "profiles"; # CA, KRA, OCSP, TKS +my $samples_base_subsystem_dir = "samples"; # TPS +my $scripts_base_subsystem_dir = "scripts"; # RA, TPS +my $shared_base_subsystem_dir = "shared"; # CA, KRA, OCSP, TKS (Tomcat) +my $temp_base_subsystem_dir = "temp"; # CA, KRA, OCSP, TKS (Tomcat) +my $webapps_base_subsystem_dir = "webapps"; # CA, KRA, OCSP, TKS +my $work_base_subsystem_dir = "work"; # CA, KRA, OCSP, TKS (Tomcat) + +# Base instance directory names +my $acl_base_instance_dir = "acl"; # CA, KRA, OCSP, TKS +my $alias_base_instance_dir = "alias"; # CA, KRA, OCSP, TKS, RA, TPS +my $bin_base_instance_dir = "bin"; # TPS +my $cgibin_base_instance_dir = "cgi-bin"; # TPS (Apache) +my $conf_base_instance_dir = "conf"; # CA, KRA, OCSP, TKS, RA, TPS +my $docroot_base_instance_dir = "docroot"; # RA, TPS (Apache) +my $emails_base_instance_dir = "emails"; # CA +my $lib_base_instance_dir = "lib"; # RA, TPS +my $logs_base_instance_dir = "logs"; # CA, KRA, OCSP, TKS, RA, TPS +my $profiles_base_instance_dir = "profiles"; # CA, KRA, OCSP, TKS +my $scripts_base_instance_dir = "scripts"; # RA, TPS +my $shared_base_instance_dir = "shared"; # CA, KRA, OCSP, TKS (Tomcat) +my $temp_base_instance_dir = "temp"; # CA, KRA, OCSP, TKS (Tomcat) +my $webapps_base_instance_dir = "webapps"; # CA, KRA, OCSP, TKS +my $work_base_instance_dir = "work"; # CA, KRA, OCSP, TKS (Tomcat) + +# Base instance symbolic link names +my $common_base_instance_symlink = "common"; # CA, KRA, OCSP, TKS +my $conf_base_instance_symlink = "conf"; # CA, KRA, OCSP, TKS, RA, TPS +my $logs_base_instance_symlink = "logs"; # CA, KRA, OCSP, TKS, RA, TPS +my $run_base_instance_symlink = "run"; # RA, TPS + +# Base names +my $cgi_home_base_name = "home/index.cgi"; # TPS +my $cgi_demo_base_name = "demo/index.cgi"; # TPS +my $cgi_so_base_name = "so/index.cgi"; # TPS +my $cgi_sow_base_name = "sow/index.cgi"; # TPS +my $addAgents_ldif_base_name = "addAgents.ldif"; # TPS +my $addIndexes_ldif_base_name = "addIndexes.ldif"; # TPS +my $addTokens_ldif_base_name = "addTokens.ldif"; # TPS +my $addVLVIndexes_ldif_base_name = "addVLVIndexes.ldif"; # TPS +my $apachectl_base_name = "apachectl"; # TPS +my $nss_pcache_base_name = "nss_pcache"; # RA, TPS +my $catalina_sh_base_name = "dtomcat5"; # CA, KRA, OCSP, TKS +my $certsrv_jar_base_name = "certsrv.jar"; # CA, KRA, OCSP, TKS +my $nsutil_jar_base_name = "nsutil.jar"; # CA, KRA, OCSP, TKS +my $cmsutil_jar_base_name = "cmsutil.jar"; # CA, KRA, OCSP, TKS +my $cms_jar_base_name = "cms.jar"; # CA, KRA, OCSP, TKS +my $cmsbundle_jar_base_name = "cmsbundle.jar"; # CA, KRA, OCSP, TKS +my $cmscore_jar_base_name = "cmscore.jar"; # CA, KRA, OCSP, TKS +my $conf_base_name = "conf"; # CA, KRA, OCSP, TKS, + # RA, TPS +my $httpd_base_name = "httpd"; # CA, KRA, OCSP, TKS, + # RA, TPS +my $httpd_conf_base_name = "httpd.conf"; # RA, TPS +my $index_html_base_name = "index.html"; # CA, KRA, OCSP, TKS +my $logs_base_name = "logs"; # CA, KRA, OCSP, TKS, + # RA, TPS +my $magic_base_name = "magic"; # RA, TPS +my $mime_types_base_name = "mime.types"; # RA, TPS +my $noise_base_name = "noise"; # CA, KRA, OCSP, TKS, + # RA, TPS +my $nss_conf_base_name = "nss.conf"; # RA, TPS +my $perl_conf_base_name = "perl.conf"; # RA, TPS +my $osutil_jar_base_name = "osutil.jar"; # CA, KRA, OCSP, TKS +my $password_conf_base_name = "password.conf"; # CA, KRA, OCSP, TKS, + # RA, TPS +my $pfile_base_name = "pfile"; # CA, KRA, OCSP, TKS, + # RA, TPS +my $pki_cfg_base_name = "CS.cfg"; # CA, KRA, OCSP, TKS, + # RA, TPS +my $schemaMods_ldif_base_name = "schemaMods.ldif"; # RA, TPS +my $server_xml_base_name = "server.xml"; # CA, KRA, OCSP, TKS +my $servercertnick_conf_base_name = "serverCertNick.conf"; # CA, KRA, OCSP, TKS +my $tomcat5_conf_base_name = "tomcat5.conf"; # CA, KRA, OCSP, TKS +my $velocity_prop_base_name = "velocity.properties"; # CA, KRA, OCSP, TKS +my $web_xml_base_name = "web.xml"; # CA, KRA, OCSP, TKS + +# Subdirectory names +my $initd_base_subsystem_dir = "init.d"; # CA, KRA, OCSP, TKS, RA, TPS +my $perl_base_instance_symlink = "perl"; # RA, TPS +my $perl_base_subsystem_dir = "perl"; # RA, TPS +my $webapps_root_base_instance_dir = "ROOT"; # CA, KRA, OCSP, TKS +my $webapps_root_base_subsystem_dir = "ROOT"; # CA, KRA, OCSP, TKS +my $webinf_base_instance_dir = "WEB-INF"; # CA, KRA, OCSP, TKS + +# Defaults +my $default_apache_pids_path = "/var/run"; +my $default_java_path = "/usr/share/java"; +my $default_dir_permissions = 00770; +my $default_exe_permissions = 00770; +my $default_file_permissions = 00660; +my $default_security_token = "internal"; +my $default_start_stop_scripts = "/etc/init.d"; +my $default_tomcat_common_path = "/var/lib/tomcat5/common"; + +# Default PKI user and group to give to PKI installed files +my $pki_user = "pkiuser"; +my $pki_group = "pkiuser"; + +# PKI creation constants +my $db_password_low = 100000000000; +my $db_password_high = 999999999999; + +# Template slot constants (RA, TPS) +my $GROUPID = "GROUPID"; +my $HTTPD_CONF = "HTTPD_CONF"; +my $INSTANCE_ID = "INSTANCE_ID"; +my $LIB_PREFIX = "LIB_PREFIX"; +my $NSS_CONF = "NSS_CONF"; +my $OBJ_EXT = "OBJ_EXT"; +my $PORT = "PORT"; +my $PROCESS_ID = "PROCESS_ID"; +my $SECURE_PORT = "SECURE_PORT"; +my $SECURITY_LIBRARIES = "SECURITY_LIBRARIES"; +my $SERVER_NAME = "SERVER_NAME"; +my $SERVER_ROOT = "SERVER_ROOT"; +my $SUBSYSTEM_TYPE = "SUBSYSTEM_TYPE"; +my $SYSTEM_LIBRARIES = "SYSTEM_LIBRARIES"; +my $SYSTEM_USER_LIBRARIES = "SYSTEM_USER_LIBRARIES"; +my $TMP_DIR = "TMP_DIR"; +my $TPS_DIR = "TPS_DIR"; +my $USERID = "USERID"; +my $FORTITUDE_APACHE = "FORTITUDE_APACHE"; +my $FORTITUDE_DIR = "FORTITUDE_DIR"; +my $FORTITUDE_MODULE = "FORTITUDE_MODULE"; +my $FORTITUDE_LIB_DIR = "FORTITUDE_LIB_DIR"; +my $FORTITUDE_AUTH_MODULES = "FORTITUDE_AUTH_MODULES"; +my $FORTITUDE_NSS_MODULES = "FORTITUDE_NSS_MODULES"; + +# Template slot constants (CA, KRA, OCSP, TKS) +my $INSTALL_TIME = "INSTALL_TIME"; +my $PKI_CERT_DB_PASSWORD_SLOT = "PKI_CERT_DB_PASSWORD"; +my $PKI_CFG_PATH_NAME_SLOT = "PKI_CFG_PATH_NAME"; +my $PKI_GROUP_SLOT = "PKI_GROUP"; +my $PKI_INSTANCE_ID_SLOT = "PKI_INSTANCE_ID"; +my $PKI_INSTANCE_PATH_SLOT = "PKI_INSTANCE_PATH"; +my $PKI_INSTANCE_ROOT_SLOT = "PKI_INSTANCE_ROOT"; +my $PKI_MACHINE_NAME_SLOT = "PKI_MACHINE_NAME"; +my $PKI_RANDOM_NUMBER_SLOT = "PKI_RANDOM_NUMBER"; +my $PKI_SECURE_PORT_SLOT = "PKI_SECURE_PORT"; +my $PKI_SERVER_XML_CONF = "PKI_SERVER_XML_CONF"; +my $PKI_SUBSYSTEM_TYPE_SLOT = "PKI_SUBSYSTEM_TYPE"; +my $PKI_UNSECURE_PORT_SLOT = "PKI_UNSECURE_PORT"; +my $PKI_USER_SLOT = "PKI_USER"; +my $TOMCAT_SERVER_PORT_SLOT = "TOMCAT_SERVER_PORT"; +my $PKI_FLAVOR_SLOT = "PKI_FLAVOR"; + +# PKI removal constants +my $saved_cleanup_file_name = ".cleanup.dat"; +my $saved_file_marker = "[files]"; +my $saved_directory_marker = "[directories]"; + + +############################################################## +# Local Data Structures +############################################################## + +# Useful pki references +@installed_files = (); +@installed_stray_directories = (); + +%redirects = (); + + +############################################################## +# Local Variables +############################################################## + +# Command-line variables (mandatory) +my $pki_instance_root = ""; +my $pki_instance_name = ""; +my $subsystem_type = ""; +my $secure_port = -1; +my $unsecure_port = -1; +my $tomcat_server_port = -1; + +# Command-line variables (optional) +my $username = ""; +my $groupname = ""; +my $redirected_conf_path = ""; +my $redirected_logs_path = ""; + +# Base subsystem directory paths +my $pki_subsystem_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $acl_subsystem_path = ""; # CA, KRA, OCSP, TKS +my $alias_subsystem_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $applets_subsystem_path = ""; # TPS +my $bin_subsystem_path = ""; # TPS +my $cgibin_subsystem_path = ""; # TPS (Apache) +my $conf_subsystem_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $docroot_subsystem_path = ""; # RA, TPS (Apache) +my $emails_subsystem_path = ""; # CA +my $etc_subsystem_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $lib_subsystem_path = ""; # RA, TPS +my $logs_subsystem_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $profiles_subsystem_path = ""; # CA, KRA, OCSP, TKS +my $samples_subsystem_path = ""; # TPS +my $scripts_subsystem_path = ""; # RA, TPS +my $shared_subsystem_path = ""; # CA, KRA, OCSP, TKS (Tomcat) +my $temp_subsystem_path = ""; # CA, KRA, OCSP, TKS (Tomcat) +my $webapps_subsystem_path = ""; # CA, KRA, OCSP, TKS +my $common_ui_subsystem_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $ui_subsystem_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $work_subsystem_path = ""; # CA, KRA, OCSP, TKS (Tomcat) + +# Base instance directory paths +my $pki_instance_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $acl_instance_path = ""; # CA, KRA, OCSP, TKS +my $alias_instance_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $bin_instance_path = ""; # TPS +my $cgibin_instance_path = ""; # TPS (Apache) +my $conf_instance_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $docroot_instance_path = ""; # RA, TPS (Apache) +my $emails_instance_path = ""; # CA +my $lib_instance_path = ""; # RA, TPS +my $logs_instance_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $profiles_instance_path = ""; # CA, KRA, OCSP, TKS +my $scripts_instance_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $shared_instance_path = ""; # CA, KRA, OCSP, TKS (Tomcat) +my $temp_instance_path = ""; # CA, KRA, OCSP, TKS (Tomcat) +my $webapps_instance_path = ""; # CA, KRA, OCSP, TKS +my $webapps_subsystem_instance_path = ""; # CA, KRA, OCSP, TKS +my $work_instance_path = ""; # CA, KRA, OCSP, TKS (Tomcat) + +# Base instance symbolic link paths +my $common_instance_symlink_path = ""; # CA, KRA, OCSP, TKS +my $conf_instance_symlink_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $logs_instance_symlink_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $run_instance_symlink_path = ""; # RA, TPS + +# Subdirectory paths +my $cgi_home_instance_file_path = ""; # TPS +my $cgi_home_subsystem_file_path = ""; # TPS +my $cgi_demo_instance_file_path = ""; # TPS +my $cgi_demo_subsystem_file_path = ""; # TPS +my $cgi_so_instance_file_path = ""; # TPS +my $cgi_so_subsystem_file_path = ""; # TPS +my $cgi_sow_instance_file_path = ""; # TPS +my $cgi_sow_subsystem_file_path = ""; # TPS +my $addAgents_ldif_instance_file_path = ""; # TPS +my $addAgents_ldif_subsystem_file_path = ""; # TPS +my $addIndexes_ldif_instance_file_path = ""; # TPS +my $addIndexes_ldif_subsystem_file_path = ""; # TPS +my $addTokens_ldif_instance_file_path = ""; # TPS +my $addTokens_ldif_subsystem_file_path = ""; # TPS +my $addVLVIndexes_ldif_instance_file_path = ""; # TPS +my $addVLVIndexes_ldif_subsystem_file_path = ""; # TPS +my $apachectl_instance_file_path = ""; # TPS +my $apachectl_subsystem_file_path = ""; # TPS +my $catalina_sh_instance_file_path = ""; # CA, KRA, OCSP, TKS +my $catalina_sh_subsystem_file_path = ""; # CA, KRA, OCSP, TKS +my $certsrv_jar_file_path = ""; # CA, KRA, OCSP, TKS +my $certsrv_jar_symlink_path = ""; # CA, KRA, OCSP, TKS +my $cms_jar_file_path = ""; # CA, KRA, OCSP, TKS +my $cms_jar_symlink_path = ""; # CA, KRA, OCSP, TKS +my $nsutil_jar_file_path = ""; # CA, KRA, OCSP, TKS +my $nsutil_jar_symlink_path = ""; # CA, KRA, OCSP, TKS +my $cmsutil_jar_file_path = ""; # CA, KRA, OCSP, TKS +my $cmsutil_jar_symlink_path = ""; # CA, KRA, OCSP, TKS +my $cmsbundle_jar_file_path = ""; # CA, KRA, OCSP, TKS +my $cmsbundle_jar_symlink = ""; # CA, KRA, OCSP, TKS +my $cmscore_jar_file_path = ""; # CA, KRA, OCSP, TKS +my $cmscore_jar_symlink_path = ""; # CA, KRA, OCSP, TKS +my $httpd_conf_instance_file_path = ""; # RA, TPS +my $httpd_conf_subsystem_file_path = ""; # RA, TPS +my $index_html_instance_file_path = ""; # CA, KRA, OCSP, TKS +my $index_html_subsystem_file_path = ""; # CA, KRA, OCSP, TKS +my $java_pki_flavor_jar_path = ""; # CA, KRA, OCSP, TKS +my $java_pki_flavor_subsystem_jar_path = ""; # CA, KRA, OCSP, TKS +my $magic_instance_file_path = ""; # RA, TPS +my $magic_subsystem_file_path = ""; # RA, TPS +my $mime_types_instance_file_path = ""; # RA, TPS +my $mime_types_subsystem_file_path = ""; # RA, TPS +my $noise_instance_file_path = ""; # CA, KRA, OCSP, TKS, + # RA, TPS +my $nss_conf_instance_file_path = ""; # RA, TPS +my $nss_conf_subsystem_file_path = ""; # RA, TPS +my $perl_conf_instance_file_path = ""; # RA, TPS +my $perl_conf_subsystem_file_path = ""; # RA, TPS +my $osutil_jar_file_path = ""; # CA, KRA, OCSP, TKS +my $osutil_jar_symlink_path = ""; # CA, KRA, OCSP, TKS +my $password_conf_instance_file_path = ""; # CA, KRA, OCSP, TKS, + # RA, TPS +my $perl_instance_symlink_path = ""; # RA, TPS +my $perl_subsystem_path = ""; # RA, TPS +my $pfile_instance_file_path = ""; # CA, KRA, OCSP, TKS, + # RA, TPS +my $pki_cfg_instance_file_path = ""; # CA, KRA, OCSP, TKS, + # RA, TPS +my $pki_cfg_subsystem_file_path = ""; # CA, KRA, OCSP, TKS, + # RA, TPS +my $pki_start_stop_script_instance_file_path = ""; # CA, KRA, OCSP, TKS, + # RA, TPS +my $pki_start_stop_script_subsystem_file_path = ""; # CA, KRA, OCSP, TKS, + # RA, TPS +my $pki_start_stop_script_symlink_path = ""; # CA, KRA, OCSP, TKS, + # RA, TPS +my $schemaMods_ldif_instance_file_path = ""; # RA, TPS +my $schemaMods_ldif_subsystem_file_path = ""; # RA, TPS +my $server_xml_instance_file_path = ""; # CA, KRA, OCSP, TKS +my $server_xml_subsystem_file_path = ""; # CA, KRA, OCSP, TKS +my $servercertnick_conf_instance_file_path = ""; # CA, KRA, OCSP, TKS +my $servercertnick_conf_subsystem_file_path = ""; # CA, KRA, OCSP, TKS +my $subsystem_jar_file_path = ""; # CA, KRA, OCSP, TKS +my $subsystem_jar_symlink_path = ""; # CA, KRA, OCSP, TKS +my $tomcat5_conf_subsystem_file_path = ""; # CA, KRA, OCSP, TKS +my $tomcat5_conf_instance_file_path = ""; # CA, KRA, OCSP, TKS +my $velocity_prop_instance_file_path = ""; # CA, KRA, OCSP, TKS +my $velocity_prop_subsystem_file_path = ""; # CA, KRA, OCSP, TKS +my $web_xml_instance_file_path = ""; # CA, KRA, OCSP, TKS +my $web_xml_subsystem_file_path = ""; # CA, KRA, OCSP, TKS +my $webapps_root_instance_path = ""; # CA, KRA, OCSP, TKS +my $webapps_root_subsystem_path = ""; # CA, KRA, OCSP, TKS +my $webapps_subsystem_instance_path = ""; # CA, KRA, OCSP, TKS +my $webinf_instance_path = ""; # CA, KRA, OCSP, TKS +my $webinf_lib_instance_path = ""; # CA, KRA, OCSP, TKS +my $webinf_subsystem_path = ""; # CA, KRA, OCSP, TKS + +# PKI creation variables +my $host = ""; +my $db_password = 0; +my $random = 0; + + +############################################################## +# Platform-Dependent Data Initialization +############################################################## + +if( $^O eq "linux" ) { + $setup_base_subsystem_dir = "setup"; # CA, KRA, OCSP, TKS, RA, TPS + $setup_subsystem_path = ""; # CA, KRA, OCSP, TKS, RA, TPS + $setup_config_instance_file_path = ""; # CA, KRA, OCSP, TKS, RA, TPS + $setup_config_subsystem_file_path = ""; # CA, KRA, OCSP, TKS, RA, TPS + + # Linux required desktop files + $setup_config_area = "/usr/share/applications"; + $setup_config_name = "config.desktop"; + + # Platform-specific directories + @pki_static_directories = ( "temp", + "shared", + "shared/lib", + "shared/common", + "shared/lib", + "work", + "setup" ); + + # Superuser and group to give to PKI installed files + $root_user = "root"; + $root_group = "root"; +} elsif( $^O eq "solaris" ) { + # Platform-specific directories + @pki_static_directories = ( "temp", + "shared", + "shared/lib", + "shared/common", + "shared/lib", + "work" ); + + # Superuser and group to give to PKI installed files + $root_user = "root"; + $root_group = "other"; +} else { + print( STDERR + "ERROR: Unsupported platform '$^O'!\n" ); + print( STDOUT "\n" ); + exit 255; +} + + +############################################################## +# Local Data Initialization +############################################################## + +# Initialize Java-specific variables +if( $^O eq "linux" ) { + if( $default_hardware_platform eq "i386" ) { + # 32-bit Linux + + # Supported hardware token PKCS #11 modules + %supported_sec_modules_hash = ( "lunasa", + "/usr/lunasa/lib/libCryptoki2.so", + "nfast", + "/opt/nfast/toolkits/pkcs11/libcknfast.so" + ); + } elsif( $default_hardware_platform eq "x86_64" ) { + # 64-bit Linux + + # Supported hardware token PKCS #11 modules + %supported_sec_modules_hash = ( "lunasa", + "/usr/lunasa/lib/libCryptoki2.so", + "nfast", + "/opt/nfast/toolkits/pkcs11/libcknfast.so" + ); + } else { + print( STDERR + "ERROR: Unsupported '$^O' hardware platform " + . "'$default_hardware_platform'!\n" ); + print( "\n" ); + exit 255; + } +} elsif( $^O eq "solaris" ) { + if( $default_hardware_platform eq "sparc" ) { + # 32-bit Solaris + + # Supported hardware token PKCS #11 modules + %supported_sec_modules_hash = ( "lunasa", + "/usr/lunasa/lib/libCryptoki2.so", + "nfast", + "/opt/nfast/toolkits/pkcs11/libcknfast-32.so" + ); + } elsif( $default_hardware_platform eq "sparcv9" ) { + # 64-bit Solaris + + # Supported hardware token PKCS #11 modules + %supported_sec_modules_hash = ( "lunasa", + "/usr/lunasa/lib/libCryptoki2.so", + "nfast", + "/opt/nfast/toolkits/pkcs11/libcknfast-64.so" + ); + } else { + print( STDERR + "ERROR: Unsupported '$^O' hardware platform " + . "'$default_hardware_platform'!\n" ); + print( "\n" ); + exit 255; + } +} else { + print( STDERR + "ERROR: Unsupported platform '$^O'!\n" ); + print( "\n" ); + exit 255; +} + +# Links created via initial "tomcat" installation that MUST be removed!!! +if( -l $jdbc_stdext_link ) { + my $rv = `rm -f $jdbc_stdext_link`; + if( $rv ) { + print( STDERR + "ERROR: Unable to remove symbolic link called " + . "$jdbc_stdext_link!\n" ); + print( "\n" ); + exit 255; + } +} + +if( -l $jndi_link ) { + my $rv = `rm -f $jndi_link`; + if( $rv ) { + print( STDERR + "ERROR: Unable to remove symbolic link called " + . "$jndi_link!\n" ); + print( "\n" ); + exit 255; + } +} + +if( -l $jaas_link ) { + my $rv = `rm -f $jaas_link`; + if( $rv ) { + print( STDERR + "ERROR: Unable to remove symbolic link called " + . "$jaas_link!\n" ); + print( "\n" ); + exit 255; + } +} + + +############################################################## +# PKI Instance Creation Subroutines +############################################################## + +# no args +# no return value +sub usage() +{ + print( STDOUT + "Usage: pkicreate -pki_instance_root=<pki_instance_root> " + . "# Instance root\n" + . " " + . "# directory\n" + . " " + . "# destination\n\n" + . " -pki_instance_name=<pki_instance_id> " + . "# Unique PKI\n" + . " " + . "# subsystem\n" + . " " + . "# instance name\n\n" + . " -subsystem_type=<subsystem_type> " + . "# Subsystem type\n" + . " " + . "# [ca | kra | ocsp |\n" + . " " + . "# tks | ra | tps]\n\n" + . " -secure_port=<secure_port> " + . "# Secure port\n\n" + . " -unsecure_port=<unsecure_port> " + . "# Unsecure port\n\n" + . " -tomcat_server_port=<tomcat_server_port> " + . "# Unique port\n" + . " " + . "# for each\n" + . " " + . "# tomcat instance\n" + . " " + . "# [ca | kra | ocsp |\n" + . " " + . "# tks] ONLY\n\n" + . " [-user=<username>] " + . "# user ownership\n" + . " " + . "# [must ALSO specify\n" + . " " + . "# group ownership]\n" + . " " + . "#\n" + . " " + . "# (Default=pkiuser)\n\n" + . " [-group=<groupname>] " + . "# group ownership\n" + . " " + . "# [must ALSO specify\n" + . " " + . "# user ownership]\n" + . " " + . "#\n" + . " " + . "# (Default=pkiuser)\n\n" + . " [-redirect conf=<real conf dir path>] " + . "# redirection of\n" + . " " + . "# conf directory\n\n" + . " [-redirect logs=<real logs dir path>] " + . "# redirection of\n" + . " " + . "# logs directory\n\n" + . " [-verbose] " + . "# Print out\n" + . " " + . "# liberal info\n" + . " " + . "# during pkicreate\n\n" + . " [-help] " + . "# Print out\n" + . " " + . "# this screen\n\n" ); + + print( STDOUT + "Example: pkicreate -pki_instance_root=/var/lib\n" + . " -pki_instance_name=$pki_flavor-ca1\n" + . " -subsystem_type=ca\n" + . " -secure_port=9543\n" + . " -unsecure_port=9180\n" + . " -tomcat_server_port=1801\n" + . " -user=pkiuser\n" + . " -group=pkiuser\n" + . " -redirect conf=/export/pki/$pki_flavor-ca1/" + . "conf\n" + . " -redirect logs=/export/pki/$pki_flavor-ca1/" + . "logs\n" + . " -verbose\n\n" ); + + print( STDOUT + "IMPORTANT: Must be run as root!\n\n" ); + + return; +} + + +# arg0 instance name +# return 1 - exists, or +# return 0 - DOES NOT exist +sub pki_instance_already_exists +{ + my $name = $_[0]; + my $result = 0; + + my $instance = $default_start_stop_scripts . "/" . $name; + + if( -e $instance ) { + $result = 1; + } + + return $result; +} + + +# no args +# return 1 - success, or +# return 0 - failure +sub parse_arguments() +{ + my $l_secure_port = -1; + my $l_unsecure_port = -1; + my $l_tomcat_server_port = -1; + my $show_help = 0; + + $result = GetOptions( "help" => \$show_help, + "pki_instance_root=s" => \$pki_instance_root, + "pki_instance_name=s" => \$pki_instance_name, + "subsystem_type=s" => \$subsystem_type, + "secure_port:i" => \$l_secure_port, + "unsecure_port:i" => \$l_unsecure_port, + "tomcat_server_port:i" => \$l_tomcat_server_port, + "user=s" => \$username, + "group=s" => \$groupname, + "verbose" => \$verbose, + "redirect=s" => \%redirects ); + + + ## Optional "-help" option - no "mandatory" options are required + if( $show_help ) { + usage(); + return 0; + } + + + ## Mandatory "-pki_instance_root=s" option + if( $pki_instance_root eq "" ) { + emit( "Must have value for -pki_instance_root!\n", "error" ); + usage(); + return 0; + } + + if( $pki_instance_root eq "/" ) { + emit( "Don't even think about making root the pki_instance_root! " + . "Try again.\n", "error" ); + usage(); + return 0; + } + + # Remove all trailing directory separators ('/') + $pki_instance_root =~ s/\/+$//; + + if( !is_path_valid( $pki_instance_root ) ) { + emit( "Target directory $pki_instance_root is not a " + . "legal directory try again.\n", + "error" ); + usage(); + return 0; + } + + + ## Mandatory "-pki_instance_name=s" option + if( $pki_instance_name eq "" ) { + emit( "Must have value for -pki_instance_name!\n", "error" ); + usage(); + return 0; + } + + if( !is_name_valid( $pki_instance_name ) ) { + emit( "Illegal Value => $pki_instance_name for -pki_instance_name!\n", + "error" ); + usage(); + return 0; + } + + if( pki_instance_already_exists( $pki_instance_name ) ) { + emit( "An instance named $pki_instance_name " + . "already exists; please try again.\n", "error" ); + usage(); + return 0; + } + + $pki_instance_path = $pki_instance_root + . "/" . $pki_instance_name; + + if( directory_exists( $pki_instance_path ) ) { + emit( "Target directory $pki_instance_path " + . "already exists; clean up and " + . "try again.\n", "error" ); + usage(); + return 0; + } + + + # capture installation information in a log file + # (always overwrite this file) + $logfile = "/var/log/$pki_instance_name-install.log"; + open_logfile( $logfile ); + push( @installed_files, $logfile ); + + emit( "Capturing installation information in $logfile.\n" ); + + emit( "Parsing PKI creation arguments ...\n" ); + + if( $verbose ) { + emit( " verbose mode is ENABLED\n" ); + } + + emit( " pki_instance_root $pki_instance_root\n" ); + emit( " pki_instance_name $pki_instance_name\n" ); + + + ## Mandatory "-subsystem_type=s" option + if( $subsystem_type ne $CA && + $subsystem_type ne $KRA && + $subsystem_type ne $OCSP && + $subsystem_type ne $TKS && + $subsystem_type ne $RA && + $subsystem_type ne $TPS ) { + emit( "Illegal value => $subsystem_type : for -subsystem_type!\n", + "error" ); + usage(); + return 0; + } + + $pki_subsystem_path = $pki_subsystem_common_area + . "/" . $subsystem_type; + + if( !( -d "$pki_subsystem_path" ) ) { + emit( "$pki_subsystem_path not present. " + . "Please install the corresponding subsystem RPM first!\n", + "error" ); + usage(); + return 0; + } else { + emit( " subsystem_type $subsystem_type\n" ); + } + + ## Mandatory "-secure_port=<secure_port>" option + if( $l_secure_port >= 0 ) { + $secure_port = $l_secure_port; + + emit( " secure_port $secure_port\n" ); + } else { + emit( "Must include value for secure_port!\n", "error" ); + usage(); + return 0; + } + + + ## Mandatory "-unsecure_port=<unsecure_port>" option + if( $l_unsecure_port >= 0 ) { + $unsecure_port = $l_unsecure_port; + + emit( " unsecure_port $unsecure_port\n" ); + } else { + emit( "Must include value for unsecure_port!\n", "error" ); + usage(); + return 0; + } + + + ## Mandatory "-tomcat_server_port=<tomcat_server_port>" option/exclusion + if( !($subsystem_type eq $RA || $subsystem_type eq $TPS ) ) { + ## Mandatory OPTION for CA, KRA, OCSP, and TKS subsystems + if( $l_tomcat_server_port < 0 ) { + emit( "Must include value for tomcat_server_port!\n", "error" ); + usage(); + return 0; + } + + $tomcat_server_port = $l_tomcat_server_port; + + emit( " tomcat_server_port $tomcat_server_port\n" ); + } else { + ## Mandatory EXCLUSION for RA and TPS subsystems + if( $l_tomcat_server_port != -1 ) { + emit( "Must NOT include value for tomcat_server_port!\n", + "error" ); + usage(); + return 0; + } + } + + + ## Optional "-user=<username>" option + if( $username ne "" ) { + if( $groupname eq "" ) { + emit( "Must ALSO specify group ownership using -group!\n", + "error" ); + usage(); + return 0; + } + + if( !user_exists( $username ) ) { + emit( "The user '$username' is invalid on this machine!\n", + "error" ); + usage(); + return 0; + } + + # Overwrite default value of $pki_user with user-specified $username + $pki_user = $username; + } + + + ## Optional "-group=<groupname>" option + if( $groupname ne "" ) { + if( $username eq "" ) { + emit( "Must ALSO specify user ownership using -user!\n", + "error" ); + usage(); + return 0; + } + + if( !group_exists( $groupname ) ) { + emit( "The group '$groupname' is invalid on this machine!\n", + "error" ); + usage(); + return 0; + } + + # Overwrite default value of $pki_group with user-specified $groupname + $pki_group = $groupname; + } + + + # At this point in time, ALWAYS check that "$pki_user" + # is a valid member of "$pki_group" + # + # NOTE: Uncomment the following code to enforce a strict policy of + # requiring $pki_user to be a member of $pki_group . . . + # + # if( !user_is_a_member_of_group( $pki_user, $pki_group ) ) { + # emit( "The user '$pki_user' is NOT a member of group '$pki_group'!\n", + # "error" ); + # usage(); + # return 0; + # } + + + ## Optional "-redirect <dir_name>=<real dir path> ..." option + while( my ($key, $value) = each( %redirects ) ) { + if( !is_path_valid( $value ) ) { + emit( "Illegal redirect directory value: key=$key value=" + . "$value\n", "error" ); + usage(); + return 0; + } + + if( $key eq "conf" ) { + $redirected_conf_path = $value; + emit( "setting conf_path $redirected_conf_path\n" ); + } elsif( $key eq "logs" ) { + $redirected_logs_path = $value; + emit( "setting logs_path $redirected_logs_path\n" ); + } else { + emit( "Illegal redirect directory key: key=$key value=" + . "$value\n", "error" ); + usage(); + return 0; + } + + emit( "redirect $key => $value\n" ); + } + + return 1; +} + + +# no args +# no return value +sub initialize_subsystem_paths() +{ + ## Initialize subsystem directory paths (subsystem independent) + $alias_subsystem_path = $pki_subsystem_path + . "/" . $alias_base_subsystem_dir; + $conf_subsystem_path = $pki_subsystem_path + . "/" . $conf_base_subsystem_dir; + $etc_subsystem_path = $pki_subsystem_path + . "/" . $etc_base_subsystem_dir; + $logs_subsystem_path = $pki_subsystem_path + . "/" . $logs_base_subsystem_dir; + if( $^O eq "linux" ) { + $setup_subsystem_path = $pki_subsystem_path + . "/" . $setup_base_subsystem_dir; + } + + ## Initialize subsystem directory paths (CA subsystems) + if( $subsystem_type eq $CA ) { + $emails_subsystem_path = $pki_subsystem_path + . "/" . $emails_base_subsystem_dir; + } + + + $common_ui_subsystem_path = $pki_subsystem_common_area . "/" . + "common-ui"; + $ui_subsystem_path = $pki_subsystem_path . "-ui"; + + ## Initialize subsystem directory paths (RA, TPS subsystems) + if( $subsystem_type eq $RA || $subsystem_type eq $TPS ) { + if( $subsystem_type eq $TPS ) { + $applets_subsystem_path = $pki_subsystem_path + . "/" . $applets_base_subsystem_dir; + $bin_subsystem_path = $default_system_user_libraries + . "/" . $pki_flavor + . "/" . $subsystem_type; + $samples_subsystem_path = $pki_subsystem_path + . "/" . $samples_base_subsystem_dir; + } + + $lib_subsystem_path = $pki_subsystem_path + . "/" . $lib_base_subsystem_dir; + $scripts_subsystem_path = $pki_subsystem_path + . "/" . $scripts_base_subsystem_dir; + + # Apache Specific + if( $subsystem_type eq $TPS ) { + $cgibin_subsystem_path = $pki_subsystem_path + . "/" . $cgibin_base_subsystem_dir; + } + + # Apache Specific + $docroot_subsystem_path = $pki_subsystem_path + . "/" . $docroot_base_subsystem_dir; + } else { + + ## Initialize subsystem directory paths (CA, KRA, OCSP, TKS subsystems) + + $acl_subsystem_path = $pki_subsystem_path + . "/" . $acl_base_subsystem_dir; + $profiles_subsystem_path = $pki_subsystem_path + . "/" . $profiles_base_subsystem_dir; + $webapps_subsystem_path = $pki_subsystem_path + . "/" . $webapps_base_subsystem_dir; + + # Tomcat Specific + $shared_subsystem_path = $pki_subsystem_path + . "/" . $shared_base_subsystem_dir; + $temp_subsystem_path = $pki_subsystem_path + . "/" . $temp_base_subsystem_dir; + $work_subsystem_path = $pki_subsystem_path + . "/" . $work_base_subsystem_dir; + } + + return; +} + + +# no args +# no return value +sub initialize_instance_paths() +{ + ## Initialize instance directory paths (instance independent) + $alias_instance_path = $pki_instance_path + . "/" . $alias_base_instance_dir; + $conf_instance_path = $pki_instance_path + . "/" . $conf_base_instance_dir; + $logs_instance_path = $pki_instance_path + . "/" . $logs_base_instance_dir; + + + ## Initialize instance directory paths (CA instances) + if( $subsystem_type eq $CA ) { + $emails_instance_path = $pki_instance_path + . "/" . $emails_base_instance_dir; + } + + + ## Initialize instance directory paths (RA, TPS instances) + if( $subsystem_type eq $RA || $subsystem_type eq $TPS ) { + if( $subsystem_type eq $TPS ) { + $bin_instance_path = $pki_instance_path + . "/" . $bin_base_instance_dir; + } + + $lib_instance_path = $pki_instance_path + . "/" . $lib_base_instance_dir; + $scripts_instance_path = $pki_instance_path + . "/" . $scripts_base_instance_dir; + + # Apache Specific + if( $subsystem_type eq $TPS ) { + $cgibin_instance_path = $pki_instance_path + . "/" . $cgibin_base_instance_dir; + } + + # Apache Specific + $docroot_instance_path = $pki_instance_path + . "/" . $docroot_base_instance_dir; + } else { + ## Initialize instance directory paths (CA, KRA, OCSP, TKS instances) + $acl_instance_path = $pki_instance_path + . "/" . $acl_base_instance_dir; + $profiles_instance_path = $pki_instance_path + . "/" . $profiles_base_instance_dir; + $webapps_instance_path = $pki_instance_path + . "/" . $webapps_base_instance_dir; + $webapps_subsystem_instance_path = $webapps_instance_path . "/" + . $subsystem_type; + + # Tomcat Specific + $shared_instance_path = $pki_instance_path + . "/" . $shared_base_instance_dir; + $temp_instance_path = $pki_instance_path + . "/" . $temp_base_instance_dir; + $work_instance_path = $pki_instance_path + . "/" . $work_base_instance_dir; + } + + return; +} + + +# no args +# no return value +sub initialize_instance_symlink_paths() +{ + ## Initialize instance symlinks (instance independent) + $conf_instance_symlink_path = $pki_instance_path + . "/" . $conf_base_instance_symlink; + $logs_instance_symlink_path = $pki_instance_path + . "/" . $logs_base_instance_symlink; + + + ## Initialize instance symlinks (CA instances) + # if( $subsystem_type eq $CA ) { + # } + + + ## Initialize instance symlinks (RA, TPS instances) + if( $subsystem_type eq $RA || $subsystem_type eq $TPS ) { + # Apache Specific + $run_instance_symlink_path = $pki_instance_path + . "/" . $run_base_instance_symlink; + } else { + ## Initialize instance symlinks (CA, KRA, OCSP, TKS instances) + $common_instance_symlink_path = $pki_instance_path + . "/" . $common_base_instance_symlink; + } + + return; +} + + +# no args +# no return value +sub initialize_subdirectory_paths() +{ + ## Initialize subdirectory paths (subsystem independent) + $pki_cfg_subsystem_file_path = $conf_subsystem_path + . "/" . $pki_cfg_base_name; + $pki_start_stop_script_instance_file_path = $default_start_stop_scripts + . "/" . $pki_instance_name; + $pki_start_stop_script_subsystem_file_path = $pki_subsystem_path + . "/" . $etc_base_subsystem_dir + . "/" . $initd_base_subsystem_dir + . "/" . $httpd_base_name; + $pki_start_stop_script_symlink_path = $pki_instance_path + . "/" . $pki_instance_name; + if( $^O eq "linux" ) { + $setup_config_instance_file_path = $setup_config_area + . "/" . $pki_instance_name + . "-" . $setup_config_name; + $setup_config_subsystem_file_path = $setup_subsystem_path + . "/" . $setup_config_name; + } + + + ## Initialize subdirectory paths (CA subsystems) + # if( $subsystem_type eq $CA ) { + # } + + + ## Initialize subdirectory paths (RA, TPS subsystems) + if( $subsystem_type eq $RA || $subsystem_type eq $TPS ) { + + if( $subsystem_type eq $TPS ) { + + $apachectl_instance_file_path = $bin_instance_path + . "/" . $apachectl_base_name; + $apachectl_subsystem_file_path = $bin_subsystem_path + . "/" . $apachectl_base_name; + $cgi_home_instance_file_path = $cgibin_instance_path + . "/" + . $cgi_home_base_name; + $cgi_home_subsystem_file_path = $cgibin_subsystem_path + . "/" + . $cgi_home_base_name; + $cgi_demo_instance_file_path = $cgibin_instance_path + . "/" + . $cgi_demo_base_name; + $cgi_demo_subsystem_file_path = $cgibin_subsystem_path + . "/" + . $cgi_demo_base_name; + $cgi_so_instance_file_path = $cgibin_instance_path + . "/" + . $cgi_so_base_name; + $cgi_so_subsystem_file_path = $cgibin_subsystem_path + . "/" + . $cgi_so_base_name; + $cgi_sow_instance_file_path = $cgibin_instance_path + . "/" + . $cgi_sow_base_name; + $cgi_sow_subsystem_file_path = $cgibin_subsystem_path + . "/" + . $cgi_sow_base_name; + $addAgents_ldif_instance_file_path = $scripts_instance_path + . "/" + . $addAgents_ldif_base_name; + $addAgents_ldif_subsystem_file_path = $scripts_subsystem_path + . "/" + . $addAgents_ldif_base_name; + $addIndexes_ldif_instance_file_path = $scripts_instance_path + . "/" + . $addIndexes_ldif_base_name; + $addIndexes_ldif_subsystem_file_path = $scripts_subsystem_path + . "/" + . $addIndexes_ldif_base_name; + $addTokens_ldif_instance_file_path = $scripts_instance_path + . "/" + . $addTokens_ldif_base_name; + $addTokens_ldif_subsystem_file_path = $scripts_subsystem_path + . "/" + . $addTokens_ldif_base_name; + $addVLVIndexes_ldif_instance_file_path = $scripts_instance_path + . "/" + . $addVLVIndexes_ldif_base_name; + $addVLVIndexes_ldif_subsystem_file_path = $scripts_subsystem_path + . "/" + . $addVLVIndexes_ldif_base_name; + $schemaMods_ldif_instance_file_path = $scripts_instance_path + . "/" + . $schemaMods_ldif_base_name; + $schemaMods_ldif_subsystem_file_path = $scripts_subsystem_path + . "/" + . $schemaMods_ldif_base_name; + } + + $nss_pcache_instance_file_path = $scripts_instance_path + . "/" + . $nss_pcache_base_name; + $nss_pcache_subsystem_file_path = $scripts_subsystem_path + . "/" + . $nss_pcache_base_name; + $httpd_conf_subsystem_file_path = $conf_subsystem_path + . "/" . $httpd_conf_base_name; + $magic_subsystem_file_path = $conf_subsystem_path + . "/" . $magic_base_name; + $mime_types_subsystem_file_path = $conf_subsystem_path + . "/" . $mime_types_base_name; + $nss_conf_subsystem_file_path = $conf_subsystem_path + . "/" . $nss_conf_base_name; + $perl_conf_subsystem_file_path = $conf_subsystem_path + . "/" . $perl_conf_base_name; + $perl_instance_symlink_path = $lib_instance_path + . "/" + . $perl_base_instance_symlink; + $perl_subsystem_path = $lib_subsystem_path + . "/" + . $perl_base_subsystem_dir; + } else { + ## Initialize subdirectory paths (CA, KRA, OCSP, TKS subsystems) + $webapps_root_instance_path = $webapps_instance_path + . "/" + . $webapps_root_base_instance_dir; + $webapps_root_subsystem_path = $webapps_subsystem_path + . "/" + . $webapps_root_base_subsystem_dir; + $webapps_subsystem_instance_path = $webapps_instance_path + . "/" . $subsystem_type; + $webinf_instance_path = $webapps_instance_path + . "/" . $subsystem_type + . "/" . $webinf_base_instance_dir; + $webinf_subsystem_path = $webapps_subsystem_path + . "/" . $subsystem_type + . "/" . $webinf_base_instance_dir; + $webinf_lib_instance_path = $webinf_instance_path + . "/" . $lib_base_instance_dir; + + $java_pki_flavor_jar_path = $default_java_path + . "/" . $pki_flavor; + $java_pki_flavor_subsystem_jar_path = $java_pki_flavor_jar_path + . "/" . $subsystem_type; + + $catalina_sh_instance_file_path = $default_system_user_binaries + . "/" . $catalina_sh_base_name + . "-" . $pki_instance_name; + $catalina_sh_subsystem_file_path = $conf_subsystem_path + . "/" . $catalina_sh_base_name; + $certsrv_jar_file_path = $java_pki_flavor_jar_path + . "/" . $certsrv_jar_base_name; + $certsrv_jar_symlink_path = $webinf_lib_instance_path + . "/" . $certsrv_jar_base_name; + $nsutil_jar_file_path = $java_pki_flavor_jar_path + . "/" . $nsutil_jar_base_name; + $nsutil_jar_symlink_path = $webinf_lib_instance_path + . "/" . $nsutil_jar_base_name; + $cmsutil_jar_file_path = $java_pki_flavor_jar_path + . "/" . $cmsutil_jar_base_name; + $cmsutil_jar_symlink_path = $webinf_lib_instance_path + . "/" . $cmsutil_jar_base_name; + $cms_jar_file_path = $java_pki_flavor_jar_path + . "/" . $cms_jar_base_name; + $cms_jar_symlink_path = $webinf_lib_instance_path + . "/" . $cms_jar_base_name; + $cmsbundle_jar_file_path = $java_pki_flavor_jar_path + . "/" . $cmsbundle_jar_base_name; + $cmsbundle_jar_symlink_path = $webinf_lib_instance_path + . "/" . $cmsbundle_jar_base_name; + $cmscore_jar_file_path = $java_pki_flavor_jar_path + . "/" . $cmscore_jar_base_name; + $cmscore_jar_symlink_path = $webinf_lib_instance_path + . "/" . $cmscore_jar_base_name; + $index_html_instance_file_path = $webapps_root_instance_path + . "/" . $index_html_base_name; + $index_html_subsystem_file_path = $webapps_root_subsystem_path + . "/" . $index_html_base_name; + $osutil_jar_file_path = $default_system_jni_java_path + . "/" . $osutil_jar_base_name; + $osutil_jar_symlink_path = $webinf_lib_instance_path + . "/" . $osutil_jar_base_name; + $server_xml_subsystem_file_path = $conf_subsystem_path + . "/" . $server_xml_base_name; + $servercertnick_conf_subsystem_file_path = $conf_subsystem_path + . "/" . $servercertnick_conf_base_name; + $subsystem_jar_file_path = $java_pki_flavor_subsystem_jar_path + . "/" . $subsystem_type . ".jar"; + $subsystem_jar_symlink_path = $webinf_lib_instance_path + . "/" . $subsystem_type . ".jar"; + $tomcat5_conf_subsystem_file_path = $conf_subsystem_path + . "/" . $tomcat5_conf_base_name; + $velocity_prop_instance_file_path = $webinf_instance_path + . "/" . $velocity_prop_base_name; + $velocity_prop_subsystem_file_path = $webinf_subsystem_path + . "/" . $velocity_prop_base_name; + $web_xml_instance_file_path = $webinf_instance_path + . "/" . $web_xml_base_name; + $web_xml_subsystem_file_path = $webinf_subsystem_path + . "/" . $web_xml_base_name; + } +} + + +# no args +# no return value +sub initialize_paths() +{ + initialize_subsystem_paths(); + initialize_instance_paths(); + initialize_instance_symlink_paths(); + initialize_subdirectory_paths(); +} + + +# no args +# no return value +sub initialize_pki_creation_values() +{ + # obtain the fully-qualified domain name of this host + $host = get_FQDN( $hostname ); + + # we need the certdb password generated now ... + $db_password = generate_random( $db_password_low, $db_password_high ); + + # generate a random value for a pin ... + $random = generate_random_string( 20 ); +} + + +# no args +# return 1 - success, or +# return 0 - failure +sub process_pki_directories() +{ + my $result = 0; + + emit( "Processing PKI directories for '$pki_instance_path' ...\n" ); + + ## Populate instance directory paths (instance independent) + $result = copy_directory( $alias_subsystem_path, + $alias_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $alias_subsystem_path to $alias_instance_path ...\n" ); + return 0; + } + + # Check for an optionally redirected "conf" directory path ... + if( $redirected_conf_path eq "" ) { + $noise_instance_file_path = $conf_instance_path + . "/" . $noise_base_name; + $password_conf_instance_file_path = $conf_instance_path + . "/" . $password_conf_base_name; + $pfile_instance_file_path = $conf_instance_path + . "/" . $pfile_base_name; + $pki_cfg_instance_file_path = $conf_instance_path + . "/" . $pki_cfg_base_name; + + if( $subsystem_type eq $RA || $subsystem_type eq $TPS ) { + $httpd_conf_instance_file_path = "$conf_instance_path" + . "/" . $httpd_conf_base_name; + $magic_instance_file_path = "$conf_instance_path" + . "/" . $magic_base_name; + $mime_types_instance_file_path = $conf_instance_path + . "/" . $mime_types_base_name; + $nss_conf_instance_file_path = "$conf_instance_path" + . "/" . $nss_conf_base_name; + $perl_conf_instance_file_path = "$conf_instance_path" + . "/" . $perl_conf_base_name; + + # create instance directory + $result = create_directory( $conf_instance_path ); + if( !$result ) { + emit( "Failed to create directory $conf_instance_path ...\n" ); + return 0; + } + + # only copy selected files + $result = copy_file( $magic_subsystem_file_path, + $magic_instance_file_path ); + if( !$result ) { + emit( "Failed to copy file $magic_subsystem_file_path to $magic_instance_file_path ...\n" ); + return 0; + } + + $result = copy_file( $mime_types_subsystem_file_path, + $mime_types_instance_file_path ); + if( !$result ) { + emit( "Failed to copy file $mime_types_subsystem_file_path to $mime_types_instance_file_path ...\n" ); + return 0; + } + + # fix permissions + if( !is_Windows() ) { + chmod( $default_file_permissions, + $magic_instance_file_path ); + chmod( $default_file_permissions, + $mime_types_instance_file_path ); + } + } else { + $server_xml_instance_file_path = $conf_instance_path + . "/" . $server_xml_base_name; + $servercertnick_conf_instance_file_path = $conf_instance_path + . "/" . $servercertnick_conf_base_name; + $tomcat5_conf_instance_file_path = $conf_instance_path + . "/" . $tomcat5_conf_base_name; + + $result = copy_directory( $conf_subsystem_path, + $conf_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $conf_subsystem_path to $conf_instance_path ...\n" ); + return 0; + } + } + } else { + $noise_instance_file_path = $redirected_conf_path + . "/" . $noise_base_name; + $password_conf_instance_file_path = $redirected_conf_path + . "/" . $password_conf_base_name; + $pfile_instance_file_path = $redirected_conf_path + . "/" . $pfile_base_name; + $pki_cfg_instance_file_path = $redirected_conf_path + . "/" . $pki_cfg_base_name; + + # Populate optionally redirected instance directory path + # and setup a symlink in the standard area + if( $subsystem_type eq $RA || $subsystem_type eq $TPS ) { + $httpd_conf_instance_file_path = "$redirected_conf_path" + . "/" . $httpd_conf_base_name; + $magic_instance_file_path = "$redirected_conf_path" + . "/" . $magic_base_name; + $mime_types_instance_file_path = $redirected_conf_path + . "/" . $mime_types_base_name; + $nss_conf_instance_file_path = "$redirected_conf_path" + . "/" . $nss_conf_base_name; + $perl_conf_instance_file_path = "$redirected_conf_path" + . "/" . $perl_conf_base_name; + + # create redirected instance directory + $result = create_directory( $redirected_conf_path ); + if( !$result ) { + emit( "Failed to create directory $redirected_conf_path ...\n" ); + return 0; + } + + # only copy selected files + $result = copy_file( $magic_subsystem_file_path, + $magic_instance_file_path ); + if( !$result ) { + emit( "Failed to copy file $magic_subsystem_file_path to $magic_instance_file_path ...\n" ); + return 0; + } + + $result = copy_file( $mime_types_subsystem_file_path, + $mime_types_instance_file_path ); + if( !$result ) { + emit( "Failed to copy file $mime_types_subsystem_file_path to $mime_types_instance_file_path ...\n" ); + return 0; + } + + # fix permissions + if( !is_Windows() ) { + chmod( $default_file_permissions, + $magic_instance_file_path ); + chmod( $default_file_permissions, + $mime_types_instance_file_path ); + } + } else { + $server_xml_instance_file_path = $redirected_conf_path + . "/" . $server_xml_base_name; + $servercertnick_conf_instance_file_path = $redirected_conf_path + . "/" . $servercertnick_conf_base_name; + $tomcat5_conf_instance_file_path = $redirected_conf_path + . "/" . $tomcat5_conf_base_name; + + $result = copy_directory( $conf_subsystem_path, + $redirected_conf_path ); + if( !$result ) { + emit( "Failed to copy directory $conf_subsystem_path to $redirected_conf_path ...\n" ); + return 0; + } + } + + push( @installed_stray_directories, + $redirected_conf_path ); + + $result = create_symbolic_link( $conf_instance_symlink_path, + $redirected_conf_path ); + if( !$result ) { + emit( "Failed to create symlink $conf_instance_symlink_path ...\n" ); + return 0; + } + + $result = give_symbolic_link_to( $conf_instance_symlink_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "$conf_instance_symlink_path ownership problems!", + "error" ); + return 0; + } + + give_directory_to( $redirected_conf_path, + $pki_user, + $pki_group ); + } + + + # Check for an optionally redirected "logs" directory path ... + if( $redirected_logs_path eq "" ) { + $result = copy_directory( $logs_subsystem_path, + $logs_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $logs_subsystem_path to $logs_instance_path ...\n" ); + return 0; + } + } else { + # Populate optionally redirected instance directory path + # and setup a symlink in the standard area + $result = copy_directory( $logs_subsystem_path, + $redirected_logs_path ); + if( !$result ) { + emit( "Failed to copy directory $logs_subsystem_path to $redirected_logs_path ...\n" ); + return 0; + } + + push( @installed_stray_directories, + $redirected_logs_path ); + + $result = create_symbolic_link( $logs_instance_symlink_path, + $redirected_logs_path ); + if( !$result ) { + emit( "Failed to create symlink $logs_instance_symlink_path ...\n" ); + return 0; + } + + $result = give_symbolic_link_to( $logs_instance_symlink_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "$logs_instance_symlink_path ownership problems!", + "error" ); + return 0; + } + + give_directory_to( $redirected_logs_path, + $pki_user, + $pki_group ); + } + + + ## Populate instance directory paths (CA instances) + if( $subsystem_type eq $CA ) { + $result = copy_directory( $emails_subsystem_path, + $emails_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $emails_subsystem_path to $emails_instance_path ...\n" ); + return 0; + } + } + + + ## Populate instance directory paths (RA, TPS instances) + if( $subsystem_type eq $RA || $subsystem_type eq $TPS ) { + + if( $subsystem_type eq $TPS ) { + $result = create_directory( $bin_instance_path ); + if( !$result ) { + emit( "Failed to create directory $bin_instance_path ...\n" ); + return 0; + } + } + + $result = create_directory( $lib_instance_path ); + if( !$result ) { + emit( "Failed to create directory $lib_instance_path ...\n" ); + return 0; + } + + $result = create_directory( $scripts_instance_path ); + if( !$result ) { + emit( "Failed to create directory $scripts_instance_path ...\n" ); + return 0; + } + + # Apache Specific + if( $subsystem_type eq $TPS ) { + $result = copy_directory( $cgibin_subsystem_path, + $cgibin_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $cgibin_subsystem_path ...\n" ); + return 0; + } + } + + # Apache Specific + $result = copy_directory( $docroot_subsystem_path, + $docroot_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $docroot_subsystem_path ...\n" ); + return 0; + } + + $result = copy_directory( $ui_subsystem_path, + $pki_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $webapps_subsystem_path ...\n" ); + return 0; + } + + # fix permissions + if( !is_Windows() ) { + # Apache Specific + if( $subsystem_type eq $TPS ) { + chmod( $default_dir_permissions, + "$cgibin_instance_path/demo" ); + chmod( $default_exe_permissions, + "$cgibin_instance_path/demo/*.cgi" ); + chmod( $default_file_permissions, + "$cgibin_instance_path/demo/*.html" ); + chmod( $default_dir_permissions, + "$cgibin_instance_path/home" ); + chmod( $default_exe_permissions, + "$cgibin_instance_path/home/*.cgi" ); + chmod( $default_file_permissions, + "$cgibin_instance_path/home/*.html" ); + chmod( $default_dir_permissions, + "$cgibin_instance_path/so" ); + chmod( $default_exe_permissions, + "$cgibin_instance_path/so/*.cgi" ); + chmod( $default_file_permissions, + "$cgibin_instance_path/so/*.html" ); + chmod( $default_dir_permissions, + "$cgibin_instance_path/sow" ); + chmod( $default_exe_permissions, + "$cgibin_instance_path/sow/*.cgi" ); + chmod( $default_file_permissions, + "$cgibin_instance_path/sow/*.html" ); + chmod( $default_exe_permissions, + "$cgibin_instance_path/sow/*.pl" ); + } + + # Apache Specific + chmod( $default_file_permissions, + "$docroot_instance_path/GenericAuth.html" ); + chmod( $default_file_permissions, + "$docroot_instance_path/style.css" ); + } + } else { + ## Populate instance directory paths (CA, KRA, OCSP, TKS instances) + $result = copy_directory( $acl_subsystem_path, + $acl_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $acl_subsystem_path ...\n" ); + return 0; + } + + $result = copy_directory( $profiles_subsystem_path, + $profiles_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $profiles_subsystem_path ...\n" ); + return 0; + } + + $result = copy_directory( $webapps_subsystem_path, + $webapps_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $webapps_subsystem_path ...\n" ); + return 0; + } + + $result = copy_directory( $common_ui_subsystem_path, + $webapps_subsystem_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $webapps_subsystem_path ...\n" ); + return 0; + } + + $result = copy_directory( $ui_subsystem_path, + $pki_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $webapps_subsystem_path ...\n" ); + return 0; + } + + # Tomcat Specific + $result = copy_directory( $shared_subsystem_path, + $shared_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $shared_subsystem_path ...\n" ); + return 0; + } + + $result = create_directory( $temp_instance_path ); + if( !$result ) { + emit( "Failed to create directory $temp_instance_path ...\n" ); + return 0; + } + + $result = create_directory( $work_instance_path ); + if( !$result ) { + emit( "Failed to create directory $work_instance_path ...\n" ); + return 0; + } + } + + ## Set appropriate permissions + give_directory_to( $pki_instance_path, + $pki_user, + $pki_group ); + + return 1; +} + + +# arg0 source file path +# arg1 dest file path +# arg2 %slot_hash +# return 1 - success, or +# return 0 - failure +sub process_file_template +{ + my( $source_file_path ) = $_[0]; + my( $dest_file_path ) = $_[1]; + my( $l_slot_hash ) = $_[2]; + + my $result = 0; + my $inf = new FileHandle; + my $buff = ""; + my $ouf = new FileHandle; + + emit( " Converting '$source_file_path' ==> '$dest_file_path' ...\n" ); + + # check for a valid source file + if( !is_path_valid( $source_file_path ) ) { + emit( "process_file_template(): invalid source path " + . "$source_file_path!\n", + "error" ); + return $result; + } + + # check for a valid destination file + if( !is_path_valid( $dest_file_path ) ) { + emit( "process_file_template(): invalid destination path " + . "$dest_file_path!\n", + "error" ); + return $result; + } + + # read in contents of source file + $inf->open( "<$source_file_path" ) or + die "Could not open $source_file_path\n"; + while( <$inf> ) { + my $line = $_; + chomp( $line ); + $buff = $buff . "$line\n"; + } + $inf->close(); + + + # process each line substituting each [KEY] + # with its corresponding slot hash value + while( my( $key, $value ) = each( %$l_slot_hash ) ) { + emit( " replacing: $key with: $value\n" ); + $buff =~ s/\[$key\]/$value/g; + } + + + # write out these modified contents to the destination file + $ouf->open( ">$dest_file_path" ) or die "Could not open $dest_file_path\n"; + $ouf->print( $buff ); + $ouf->close(); + + $result = 1; + + return $result; +} + + +# no args +# return 1 - success, or +# return 0 - failure +sub process_pki_templates() +{ + my %slot_hash = (); + + emit( "Processing PKI templates for '$pki_instance_path' ...\n" ); + + if( $subsystem_type eq $RA || $subsystem_type eq $TPS ) { + # Setup templates (RA, TPS) + $slot_hash{$GROUPID} = $pki_group; + $slot_hash{$HTTPD_CONF} = $httpd_conf_instance_file_path; + $slot_hash{$INSTANCE_ID} = $pki_instance_name; + $slot_hash{$LIB_PREFIX} = $lib_prefix; + $slot_hash{$NSS_CONF} = $nss_conf_instance_file_path; + $slot_hash{$OBJ_EXT} = $obj_ext; + $slot_hash{$PORT} = $unsecure_port; + $slot_hash{$PROCESS_ID} = $$; + $slot_hash{$SECURE_PORT} = $secure_port; + $slot_hash{$SECURITY_LIBRARIES} = $default_security_libraries; + $slot_hash{$SERVER_NAME} = $host; + $slot_hash{$SERVER_ROOT} = $pki_instance_path; + $slot_hash{$SUBSYSTEM_TYPE} = $subsystem_type; + $slot_hash{$SYSTEM_LIBRARIES} = $default_system_libraries; + $slot_hash{$SYSTEM_USER_LIBRARIES} = $default_system_user_libraries; + $slot_hash{$TMP_DIR} = $tmp_dir; + $slot_hash{$TPS_DIR} = $pki_subsystem_path; + $slot_hash{$USERID} = $pki_user; + $slot_hash{$PKI_FLAVOR} = $pki_flavor; + $slot_hash{$PKI_RANDOM_NUMBER_SLOT} = $random; + if( is_Fedora() || (is_RHEL() && (! is_RHEL4())) ) { + $slot_hash{$FORTITUDE_APACHE} = "Apache2"; + $slot_hash{$FORTITUDE_DIR} = "/usr"; + $slot_hash{$FORTITUDE_LIB_DIR} = "/etc/httpd"; + $slot_hash{$FORTITUDE_MODULE} = "/etc/httpd/modules"; + $slot_hash{$FORTITUDE_AUTH_MODULES} = +" +LoadModule auth_basic_module /etc/httpd/modules/mod_auth_basic.so +LoadModule authn_file_module /etc/httpd/modules/mod_authn_file.so +LoadModule authz_user_module /etc/httpd/modules/mod_authz_user.so +LoadModule authz_groupfile_module /etc/httpd/modules/mod_authz_groupfile.so +LoadModule authz_host_module /etc/httpd/modules/mod_authz_host.so +"; + $slot_hash{$FORTITUDE_NSS_MODULES} = +" +LoadModule nss_module /etc/httpd/modules/libmodnss.so +"; + } + else { + $slot_hash{$FORTITUDE_APACHE} = "Apache"; + $slot_hash{$FORTITUDE_DIR} = "/opt/fortitude"; + $slot_hash{$FORTITUDE_LIB_DIR} = "/opt/fortitude"; + $slot_hash{$FORTITUDE_MODULE} = "/opt/fortitude/modules.local"; + $slot_hash{$FORTITUDE_AUTH_MODULES} = +" +LoadModule auth_module /opt/fortitude/modules/mod_auth.so +LoadModule access_module /opt/fortitude/modules/mod_access.so +"; + $slot_hash{$FORTITUDE_NSS_MODULES} = +" +LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so +"; + } + } else { + # Setup templates (CA, KRA, OCSP, TKS) + $slot_hash{$INSTALL_TIME} = localtime; + $slot_hash{$PKI_CERT_DB_PASSWORD_SLOT} = $db_password; + $slot_hash{$PKI_CFG_PATH_NAME_SLOT} = $pki_cfg_instance_file_path; + $slot_hash{$PKI_GROUP_SLOT} = $pki_group; + $slot_hash{$PKI_INSTANCE_ID_SLOT} = $pki_instance_name; + $slot_hash{$PKI_INSTANCE_PATH_SLOT} = $pki_instance_path; + $slot_hash{$PKI_INSTANCE_ROOT_SLOT} = $pki_instance_root; + $slot_hash{$PKI_MACHINE_NAME_SLOT} = $host; + $slot_hash{$PKI_RANDOM_NUMBER_SLOT} = $random; + $slot_hash{$PKI_SECURE_PORT_SLOT} = $secure_port; + $slot_hash{$PKI_SERVER_XML_CONF} = $server_xml_instance_file_path; + $slot_hash{$PKI_SUBSYSTEM_TYPE_SLOT} = $subsystem_type; + $slot_hash{$PKI_UNSECURE_PORT_SLOT} = $unsecure_port; + $slot_hash{$PKI_USER_SLOT} = $pki_user; + $slot_hash{$TOMCAT_SERVER_PORT_SLOT} = $tomcat_server_port; + $slot_hash{$PKI_FLAVOR_SLOT} = $pki_flavor; + } + + + ## Process templates (instance independent) + # + # NOTE: The values substituted may differ across subsystems. + # + + # process "CS.cfg" template + $result = process_file_template( $pki_cfg_subsystem_file_path, + $pki_cfg_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + + # process "httpd" template + # + # NOTE: CA, KRA, OCSP, TKS instances are dependent upon the location + # of the instance-specific "server.xml" file, while RA and TPS + # instances are dependent upon the instance-specific location + # of the "nss.conf" file. + # + $result = process_file_template( + $pki_start_stop_script_subsystem_file_path, + $pki_start_stop_script_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + chmod( $default_exe_permissions, + $pki_start_stop_script_instance_file_path ); + + push( @installed_files, + $pki_start_stop_script_instance_file_path ); + + + if( $^O eq "linux" ) { + # process "config.desktop" template + $result = process_file_template( $setup_config_subsystem_file_path, + $setup_config_instance_file_path, + \%slot_hash ); + if( ! $result ) { + return 0; + } + + push( @installed_files, + $setup_config_instance_file_path ); + } + + + ## Process templates (CA instances) + # if( $subsystem_type eq $CA ) { + # } + + + ## Process templates (RA, TPS instances) + if( $subsystem_type eq $RA || $subsystem_type eq $TPS ) { + + if( $subsystem_type eq $TPS ) { + + # process "apachectl" template + $result = process_file_template( $apachectl_subsystem_file_path, + $apachectl_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + chmod( $default_exe_permissions, + $apachectl_instance_file_path ); + + + # process "cgi" template + $result = process_file_template( $cgi_home_subsystem_file_path, + $cgi_home_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + $result = process_file_template( $cgi_demo_subsystem_file_path, + $cgi_demo_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + $result = process_file_template( $cgi_so_subsystem_file_path, + $cgi_so_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + $result = process_file_template( $cgi_sow_subsystem_file_path, + $cgi_sow_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + # process "addAgents.ldif" template + $result = process_file_template( $addAgents_ldif_subsystem_file_path, + $addAgents_ldif_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + + # process "addIndexes.ldif" template + $result = process_file_template( $addIndexes_ldif_subsystem_file_path, + $addIndexes_ldif_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + + # process "addTokens.ldif" template + $result = process_file_template( $addTokens_ldif_subsystem_file_path, + $addTokens_ldif_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + + # process "addVLVIndexes.ldif" template + $result = process_file_template( + $addVLVIndexes_ldif_subsystem_file_path, + $addVLVIndexes_ldif_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + # process "schemaMods.ldif" template + $result = process_file_template( $schemaMods_ldif_subsystem_file_path, + $schemaMods_ldif_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + } + + + # process "httpd.conf" template + $result = process_file_template( $httpd_conf_subsystem_file_path, + $httpd_conf_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + chmod( $default_file_permissions, + $httpd_conf_instance_file_path ); + + + # process "nss.conf" template + $result = process_file_template( $nss_conf_subsystem_file_path, + $nss_conf_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + # fix ownership for nss.conf + $result = give_file_to( $nss_conf_instance_file_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "Can't change ownership of " + . "$nss_conf_instance_file_path.\n", + "error" ); + return 0; + } + + chmod( $default_file_permissions, + $nss_conf_instance_file_path ); + + + # process "perl.conf" template + $result = process_file_template( $perl_conf_subsystem_file_path, + $perl_conf_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + chmod( $default_file_permissions, + $perl_conf_instance_file_path ); + + # process "nss_pcache" template + $result = process_file_template( $nss_pcache_subsystem_file_path, + $nss_pcache_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + chmod( $default_exe_permissions, + $nss_pcache_instance_file_path ); + + + } else { + ## Process templates (CA, KRA, OCSP, TKS instances) + # process "catalina.sh" (aka dtomcat5) template + $result = process_file_template( $catalina_sh_subsystem_file_path, + $catalina_sh_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + $result = give_file_to( $catalina_sh_instance_file_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "Can't change ownership of " + . "$catalina_sh_instance_file_path.\n", + "error" ); + return 0; + } + + chmod( $default_exe_permissions, + $catalina_sh_instance_file_path ); + + push( @installed_files, + $catalina_sh_instance_file_path ); + + + # process "index.html" template + $result = process_file_template( $index_html_subsystem_file_path, + $index_html_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + + # process "server.xml" template + $result = process_file_template( $server_xml_subsystem_file_path, + $server_xml_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + + # process "serverCertNick.conf" template + $result = process_file_template( $servercertnick_conf_subsystem_file_path, + $servercertnick_conf_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + # process "tomcat5.conf" template + $result = process_file_template( $tomcat5_conf_subsystem_file_path, + $tomcat5_conf_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + + # process "velocity.properties" template + $result = process_file_template( $velocity_prop_subsystem_file_path, + $velocity_prop_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + + # process "web.xml" template + $result = process_file_template( $web_xml_subsystem_file_path, + $web_xml_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + } + + return 1; +} + + +# no args +# return 1 - success, or +# return 0 - failure +sub process_pki_files_and_symlinks() +{ + my $result = 0; + + emit( "Processing PKI files and symbolic links for " + . "'$pki_instance_path' ...\n" ); + + ## Populate instances (instance independent) + + # create a filled in temporary "noise" + # file for this instance + my $noise = generate_random_string( 1024 ); + + create_file( $noise_instance_file_path, + $noise ); + + $result = give_file_to( $noise_instance_file_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "Can't change ownership of $noise_base_name.\n", + "error" ); + return 0; + } + + chmod( $default_file_permissions, + $noise_instance_file_path ); + + + # create a filled in empty "password.conf" + # password file for this instance + create_file( $password_conf_instance_file_path, + "$default_security_token:$db_password" ); + + $result = give_file_to( $password_conf_instance_file_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "Can't change ownership of $password_conf_base_name.\n", + "error" ); + return 0; + } + + chmod( $default_file_permissions, + $password_conf_instance_file_path ); + + + # create a filled in empty temporary "pfile" + # password file for this instance + create_file( $pfile_instance_file_path, + $db_password ); + + $result = give_file_to( $pfile_instance_file_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "Can't change ownership of $pfile_base_name.\n", + "error" ); + return 0; + } + + chmod( $default_file_permissions, + $pfile_instance_file_path ); + + + # create instance symlink to actual instance "start/stop" script + $result = create_symbolic_link( $pki_start_stop_script_symlink_path, + $pki_start_stop_script_instance_file_path ); + if( !$result ) { + return 0; + } + # + # NOTE: This symlink requires "$root_user:$root_group" ownership + # since the destination that it refers to is owned by + # "$root_user:$root_group". + # + $result = give_symbolic_link_to( $pki_start_stop_script_symlink_path, + $root_user, + $root_group ); + if( !$result ) { + emit( "$pki_start_stop_script_instance_file_path ownership problems!", + "error" ); + return 0; + } + + + ## Populate instances (CA instances) + # if( $subsystem_type eq $CA ) { + # } + + + ## Populate instances (RA, TPS instances) + if( $subsystem_type eq $RA || $subsystem_type eq $TPS ) { + # Subdirectory Specific symbolic links + + # create instance symlink to subsystem "perl" subdirectory + $result = create_symbolic_link( $perl_instance_symlink_path, + $perl_subsystem_path ); + if( !$result ) { + return 0; + } + + $result = give_symbolic_link_to( $perl_instance_symlink_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "$perl_instance_symlink_path ownership problems!", + "error" ); + return 0; + } + + + # Apache Specific symbolic links + + # create instance symlink to apache "run" subdirectory + $result = create_symbolic_link( $run_instance_symlink_path, + $default_apache_pids_path ); + if( !$result ) { + return 0; + } + + $result = give_symbolic_link_to( $run_instance_symlink_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "$run_base_instance_symlink ownership problems!", + "error" ); + return 0; + } + } else { + ## Populate instances (CA, KRA, OCSP, TKS instances) + # create instance "webapps/$subsystem_type/WEB-INF/lib" subdirectory + $result = create_directory( $webinf_lib_instance_path ); + if( !$result ) { + return 0; + } + + + # create instance symlink to "$subsystem_type.jar" + $result = create_symbolic_link( $subsystem_jar_symlink_path, + $subsystem_jar_file_path ); + if( !$result ) { + return 0; + } + + $result = give_symbolic_link_to( $subsystem_jar_symlink_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "$subsystem_jar_symlink_path ownership problems!", + "error" ); + return 0; + } + + + # create instance symlink to "certsrv.jar" + $result = create_symbolic_link( $certsrv_jar_symlink_path, + $certsrv_jar_file_path ); + if( !$result ) { + return 0; + } + + $result = give_symbolic_link_to( $certsrv_jar_symlink_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "$certsrv_jar_symlink_path ownership problems!", + "error" ); + return 0; + } + + # create instance symlink to "cmsutil.jar" + $result = create_symbolic_link( $cmsutil_jar_symlink_path, + $cmsutil_jar_file_path ); + if( !$result ) { + return 0; + } + + $result = give_symbolic_link_to( $cmsutil_jar_symlink_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "$cms_jar_symlink_path ownership problems!", + "error" ); + return 0; + } + + # create instance symlink to "nsutil.jar" + $result = create_symbolic_link( $nsutil_jar_symlink_path, + $nsutil_jar_file_path ); + if( !$result ) { + return 0; + } + + $result = give_symbolic_link_to( $nsutil_jar_symlink_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "$cms_jar_symlink_path ownership problems!", + "error" ); + return 0; + } + + # create instance symlink to "cms.jar" + $result = create_symbolic_link( $cms_jar_symlink_path, + $cms_jar_file_path ); + if( !$result ) { + return 0; + } + + $result = give_symbolic_link_to( $cms_jar_symlink_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "$cms_jar_symlink_path ownership problems!", + "error" ); + return 0; + } + + + # create instance symlink to "cmsbundle.jar" + $result = create_symbolic_link( $cmsbundle_jar_symlink_path, + $cmsbundle_jar_file_path ); + if( !$result ) { + return 0; + } + + $result = give_symbolic_link_to( $cmsbundle_jar_symlink_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "$cmsbundle_jar_symlink_path ownership problems!", + "error" ); + return 0; + } + + + # create instance symlink to "cmscore.jar" + $result = create_symbolic_link( $cmscore_jar_symlink_path, + $cmscore_jar_file_path ); + if( !$result ) { + return 0; + } + + $result = give_symbolic_link_to( $cmscore_jar_symlink_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "$cmscore_jar_symlink_path ownership problems!", + "error" ); + return 0; + } + + + # create instance symlink to "osutil.jar" + $result = create_symbolic_link( $osutil_jar_symlink_path, + $osutil_jar_file_path ); + if( !$result ) { + return 0; + } + + $result = give_symbolic_link_to( $osutil_jar_symlink_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "$osutil_jar_symlink_path ownership problems!", + "error" ); + return 0; + } + + + # Tomcat Specific + + # create instance symlink to tomcat "common" directory + # + # NOTE: This symlink requires "$root_user:$root_group" ownership + # since the destination that it refers to is owned by + # "$root_user:$root_group". + # + $result = create_symbolic_link( $common_instance_symlink_path, + $default_tomcat_common_path ); + if( !$result ) { + return 0; + } + $result = give_symbolic_link_to( $common_instance_symlink_path, + $root_user, + $root_group ); + if( !$result ) { + emit( "$common_instance_symlink_path ownership problems!", + "error" ); + return 0; + } + } + + return 1; +} + + +# no args +# return 1 - success, or +# return 0 - failure +sub process_pki_security_databases() +{ + my $result = 0; + my $serial_number = 0; + my $validity_period = 12; + my $time_stamp = get_time_stamp(); + my $subject = "CN=$host,O=$time_stamp"; + my $issuer_name = "CN=$host,O=$time_stamp"; + my $nickname = "Server-Cert cert-$pki_instance_name"; + my $trustargs = "CTu,CTu,CTu"; + + emit( "Processing PKI security databases for '$pki_instance_path' ...\n" ); + + # now create and configure pki security databases, + # cert3.db, key3.db, secmod.db ... + if( !file_exists( $default_certutil_command ) ) { + emit( "process_pki_security_databases(): $default_certutil_command " + . "does not exist!\n", + "error" ); + return $result; + + } + + if( !file_exists( $noise_instance_file_path ) ) { + emit( "process_pki_security_databases(): Can't find " + . "temp noise file!\n", + "error" ); + return $result; + } + + if( !file_exists( $pfile_instance_file_path ) ) { + emit( "process_pki_security_databases(): Can't find temp file " + . "with password!\n", + "error" ); + return $result; + } + + certutil_create_databases( $alias_instance_path, + $pfile_instance_file_path ); + + certutil_generate_self_signed_cert( $alias_instance_path, + $default_security_token, + $serial_number, + $validity_period, + $subject, + $issuer_name, + $nickname, + $trustargs, + $noise_instance_file_path, + $pfile_instance_file_path ); + + remove_file( $noise_instance_file_path ); + + remove_file( $pfile_instance_file_path ); + + give_directory_to( $alias_instance_path, $pki_user, $pki_group ); + + return 1; +} + + +# no args +# return 1 - success, or +# return 0 - failure +sub process_pki_security_modules() +{ + my $result = 0; + + emit( "Processing PKI security modules for '$pki_instance_path' ...\n" ); + + if( !file_exists( $default_modutil_command ) ) { + emit( "process_pki_security_modules(): $default_modutil_command " + . "must be installed on system!\n", + "error" ); + return $result; + } + + emit( " Attempting to add hardware security modules to system if " + . "applicable ...\n" ); + + while( my( $key, $value ) = each( %supported_sec_modules_hash ) ) { + if( !file_exists( $value ) ) { + emit( " module name: $key lib: $value DOES NOT EXIST!\n" ); + next; + } else { + modutil_add_token( $alias_instance_path, $key, $value ); + emit( " Added module name: $key lib: $value\n" ); + } + } + + return 1; +} + + +# no args +# return 1 - success, or +# return 0 - failure +sub install_pki_instance() +{ + my $result = 0; + + emit( "Installing PKI instance ...\n" ); + + if( !directory_exists( "$pki_instance_path" ) ) { + $result = create_directory( "$pki_instance_path" ); + + push( @installed_stray_directories, + "$pki_instance_path" ); + if( !$result ) { + return 0; + } + } + + $result = process_pki_directories(); + if( !$result ) { + return 0; + } + + $result = process_pki_templates(); + if( !$result ) { + return 0; + } + + $result = process_pki_files_and_symlinks(); + if( !$result ) { + return 0; + } + + $result = process_pki_security_databases(); + if( !$result ) { + return 0; + } + + $result = process_pki_security_modules(); + if( !$result ) { + return 0; + } + + return 1; +} + + +############################################################## +# PKI Instance Removal Subroutines +############################################################## + +# no args +# return 1 - success, or +# return 0 - failure +sub save_cleanup_file() +{ + my $result = 0; + + my $cleanup = new FileHandle; + + my $source_file_path = $pki_instance_path + . "/" . $saved_cleanup_file_name; + + my $files_size = @installed_files; + my $directories_size = @installed_stray_directories; + + if( $files_size == 0 && $installed_stray_directories == 0 ) { + emit( "No files or directories created in save_cleanup_file!", + "error" ); + return $result; + } + + $cleanup->open( ">$source_file_path" ) or + die "Could not open $source_file_path\n"; + + my $buff = ""; + + $cleanup->print( "$saved_file_marker\n" ); + + if( $files_size ) { + my $i = 0; + + for( $i = 0; $i < $files_size; $i++ ) { + $cleanup->print( "$installed_files[$i]\n" ); + } + } + + $cleanup->print( "$saved_directory_marker\n" ); + + if( $directories_size ) { + my $i = 0; + + for( $i = 0; $i < $directories_size; $i++ ) { + $cleanup->print( "$installed_stray_directories[$i]\n" ); + } + } + + $cleanup->close(); + + return 1; +} + + +# no args +# no return value +sub cleanup() +{ + my $result = 0; + + print( STDOUT + "\n\nPKI instance creation Cleanup Utility " + . "cleaning up on error ...\n\n" ); + + $result = remove_directory( "$pki_instance_path" ); + + my $size = @installed_files; + + if( $size ) { + my $i = 0; + + for( $i = 0; $i < $size; $i ++ ) { + remove_file( $installed_files[$i] ); + } + } + + $size = @installed_stray_directories; + + if( $size ) { + my $i = 0; + + for( $i = 0; $i < $size; $i++ ) { + remove_directory( $installed_stray_directories[$i] ); + } + } + + return; +} + + +############################################################## +# Main Program +############################################################## + +# no args +# no return value +sub main() +{ + my $result = 0; + my $parse_result = 0; + my $command = ""; + + chdir( "/tmp" ); + + print( STDOUT + "PKI instance creation Utility ...\n\n" ); + + # On Linux/UNIX, insure that this script is being run as "root". + $result = check_for_root_UID(); + if( !$result ) { + usage(); + exit 255; + } + + # Setup platform-dependent parameters + setup_platform_dependent_parameters(); + + $parse_result = parse_arguments(); + if( !$parse_result || $parse_result == -1 ) { + # If it exists, close the log file + close_logfile( $logfile ); + exit 255; + } + + initialize_paths(); + + initialize_pki_creation_values(); + + if( $subsystem_type eq $CA || + $subsystem_type eq $KRA || + $subsystem_type eq $OCSP || + $subsystem_type eq $TKS ) { + if( -e $pkicomplete ) { + `$pkicomplete`; + } + } + + $result = install_pki_instance(); + if( !$result ) { + print( STDOUT "\n" ); + +ASK_AGAIN: + my $confirm = prompt( "Error detected would you like to clean up " + . "$pki_instance_path (Y/N)? " ); + + if( $confirm eq "Y" || $confirm eq "y" ) { + cleanup(); + } elsif( $confirm ne "N" && $confirm ne "n" ) { + goto ASK_AGAIN; + } + + # If it exists, close the log file + close_logfile( $logfile ); + + exit 255; + } + + print( STDOUT "\n" ); + print( STDOUT + "PKI instance creation completed ...\n\n" ); + + + $result = save_cleanup_file(); + if( !$result ) { + emit( "Unable to create " + . $pki_instance_path + . "/" . $saved_cleanup_file_name + . "!\n", + "error" ); + + # If it exists, close the log file + close_logfile( $logfile ); + + exit 255; + } + + $command = "$pki_start_stop_script_instance_file_path start"; + + system( "$command" ); + + print( STDOUT + "Server can be operated with " + . "$pki_start_stop_script_instance_file_path " + . "start | stop | restart\n\n" ); + emit( "Server can be operated with " + . "$pki_start_stop_script_instance_file_path " + . "start | stop | restart\n", + "log" ); + + print( STDOUT + "Please start the configuration by accessing:\n" + . "http://$host:$unsecure_port/$subsystem_type/admin/" + . "console/config/login?pin=$random\n\n" ); + emit( "Configuration Wizard listening on\n" + . "http://$host:$unsecure_port/$subsystem_type/admin/" + . "console/config/login?pin=$random\n", + "log" ); + + # If it exists, close the log file + close_logfile( $logfile ); + + return; +} + + +############################################################## +# PKI Instance Creation +############################################################## + +main(); + +exit 0; + diff --git a/pki/base/setup/pkihost b/pki/base/setup/pkihost new file mode 100755 index 000000000..bdd5ff5c8 --- /dev/null +++ b/pki/base/setup/pkihost @@ -0,0 +1,157 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# + +############################################################## +# This script is used to display the fully qualified name +# of this host. +# +# Sample Invocation: +# +# ./pkihost +# +############################################################## + + +############################################################## +# Perl Version +############################################################## + +my $MINIMUM_PERL_VERSION = "5.006001"; + +my $perl_version_error_message = "ERROR: Using Perl version $] ...\n" + . " Must use Perl version " + . "$MINIMUM_PERL_VERSION or later to " + . "run this script!\n"; + +die "$perl_version_error_message" if $] < $MINIMUM_PERL_VERSION; + + +############################################################## +# Execution Check +############################################################## + +# Check to insure that this script's original +# invocation directory has not been deleted! +my $cwd = `/bin/pwd`; +chomp $cwd; +if( "$cwd" eq "" ) { + print( STDERR "Cannot invoke '$0' from non-existent directory!\n" ); + print( STDOUT "\n" ); + exit 255; +} + + +############################################################## +# Environment Variables +############################################################## + +# untaint called subroutines +if( ( $^O ne 'Windows_NT' ) && ( $^O ne 'MSWin32' ) ) { + $> = $<; # set effective user ID to real UID + $) = $(; # set effective group ID to real GID + $ENV{ 'PATH' } = '/bin:/usr/bin'; + $ENV{ 'ENV' } = '' if $ENV{ 'ENV' } ne ''; +} + + +############################################################## +# Command-Line Variables +############################################################## + +my $ARGS = ( $#ARGV + 1 ); + + +############################################################## +# Shared Common Perl Data and Subroutines +############################################################## + +# Compute "flavor" of Operating System +my $pki_flavor = ""; +if( $^O eq "linux" ) { + $pki_flavor = `pkiflavor`; +} elsif( $^O eq "solaris" ) { + $pki_flavor = `pkiflavor`; +} else { + print( STDERR + "ERROR: Unsupported platform '$^O'!\n" ); + print( STDOUT "\n" ); + exit 255; +} + +$pki_flavor =~ s/\s+$//g; + +# Establish path to scripts +my $pki_subsystem_common_area = "/usr/share/$pki_flavor"; +my $common_path = "/usr/share/pki/scripts"; + +if( ! -d "$common_path" ) { + print( STDERR + "ERROR: The path '$common_path' does not exist!\n" + . " Unable to load shared Common Perl Data " + . "and Subroutines!\n" ); + print( STDOUT "\n" ); + exit 255; +} + +if( ! -e "$common_path/pkicommon" ) { + print( STDERR + "ERROR: The file '$common_path/pkicommon' does not exist!\n" + . " Unable to load shared Common Perl Data " + . "and Subroutines!\n" ); + print( STDOUT "\n" ); + exit 255; +} + +eval( "use lib '" . $common_path . "'" ); +require( 'pkicommon' ); + +# make -w happy by suppressing warnings of Global variables used only once +my $suppress = ""; +$suppress = $hostname; + + +############################################################## +# Main Program +############################################################## + +# no args +# no return value +sub main() +{ + my $host = ""; + + # obtain the fully-qualified domain name of this host + $host = get_FQDN( $hostname ); + + print( STDOUT "$host\n" ); + + return; +} + + +############################################################## +# PKI Instance Creation +############################################################## + +main(); + +exit 0; + diff --git a/pki/base/setup/pkiremove b/pki/base/setup/pkiremove new file mode 100755 index 000000000..6ec3752b5 --- /dev/null +++ b/pki/base/setup/pkiremove @@ -0,0 +1,419 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# + +############################################################## +# This script is used to remove an existing PKI instance. +# +# To execute: +# +# ./pkiremove -pki_instance_root=<pki_instance_root> # Instance root +# # directory destination +# +# -pki_instance_name=<pki_instance_id> # Unique PKI subsystem +# # instance name +# # (e. g. - pki-pki1) +# +# [-force] # Don't ask any +# # questions +# +############################################################## + + +############################################################## +# Perl Version +############################################################## + +my $MINIMUM_PERL_VERSION = "5.006001"; + +my $perl_version_error_message = "ERROR: Using Perl version $] ...\n" + . " Must use Perl version " + . "$MINIMUM_PERL_VERSION or later to " + . "run this script!\n"; + +die "$perl_version_error_message" if $] < $MINIMUM_PERL_VERSION; + + +############################################################## +# Execution Check +############################################################## + +# Check to insure that this script's original +# invocation directory has not been deleted! +my $cwd = `/bin/pwd`; +chomp $cwd; +if( "$cwd" eq "" ) { + print( STDERR "Cannot invoke '$0' from non-existent directory!\n" ); + print( STDOUT "\n" ); + exit 255; +} + + +############################################################## +# Environment Variables +############################################################## + +# untaint called subroutines +if( ( $^O ne 'Windows_NT' ) && ( $^O ne 'MSWin32' ) ) { + $> = $<; # set effective user ID to real UID + $) = $(; # set effective group ID to real GID + $ENV{ 'PATH' } = '/bin:/usr/bin'; + $ENV{ 'ENV' } = '' if $ENV{ 'ENV' } ne ''; +} + + +############################################################## +# Command-Line Variables +############################################################## + +my $ARGS = ( $#ARGV + 1 ); + + +############################################################## +# Shared Common Perl Data and Subroutines +############################################################## + +# Compute "flavor" of Operating System +my $pki_flavor = ""; +if( $^O eq "linux" ) { + $pki_flavor = `pkiflavor`; +} elsif( $^O eq "solaris" ) { + $pki_flavor = `pkiflavor`; +} else { + print( STDERR + "ERROR: Unsupported platform '$^O'!\n" ); + print( STDOUT "\n" ); + exit 255; +} + +$pki_flavor =~ s/\s+$//g; + +# Establish path to scripts +my $common_path = "/usr/share/pki/scripts"; + +if( ! -d "$common_path" ) { + print( STDERR + "ERROR: The path '$common_path' does not exist!\n" + . " Unable to load shared Common Perl Data " + . "and Subroutines!\n" ); + print( STDOUT "\n" ); + exit 255; +} + +if( ! -e "$common_path/pkicommon" ) { + print( STDERR + "ERROR: The file '$common_path/pkicommon' does not exist!\n" + . " Unable to load shared Common Perl Data " + . "and Subroutines!\n" ); + print( STDOUT "\n" ); + exit 255; +} + +eval( "use lib '" . $common_path . "'" ); +require( 'pkicommon' ); + + +############################################################## +# Local Constants +############################################################## + +my $saved_cleanup_file_name = ".cleanup.dat"; +my $saved_file_marker = "[files]"; +my $saved_directory_marker = "[directories]"; + + +############################################################## +# Local Data Structures +############################################################## + + +############################################################## +# Local Variables +############################################################## + +my $pki_instance_root = ""; +my $pki_instance_name = ""; +my $force = 0; + +my $pki_instance_path = ""; + + +############################################################## +# Platform-Dependent Data Initialization +############################################################## + + +############################################################## +# Local Data Initialization +############################################################## + + +############################################################## +# PKI Instance Removal Subroutines +############################################################## + +# no args +# no return value +sub usage() +{ + print( STDOUT + "Usage: pkiremove -pki_instance_root=<pki_instance_root> " + . "# Instance root\n" + . " " + . "# directory\n" + . " " + . "# destination\n\n" + . " -pki_instance_name=<pki_instance_id> " + . "# Unique PKI\n" + . " " + . "# subsystem\n" + . " " + . "# instance name\n" + . " " + . "# (e. g. - pki-pki1)\n\n" + . " [-force] " + . "# Don't ask\n" + . " " + . "# any questions\n\n" ); + + print( STDOUT + "Example: pkiremove -pki_instance_root=/var/lib " + . "-pki_instance_name=$pki_flavor-ca1\n\n" ); + + print( STDOUT + "IMPORTANT: Must be run as root!\n\n" ); + + return; +} + + +# no args +# return 1 - success, or +# return 0 - failure +sub remove_instance() +{ + my $command = ""; + + print( STDOUT + "PKI instance Deletion Utility " + . "cleaning up instance ...\n\n" ); + + my $result = 0; + my $cleanup = new FileHandle; + my $source_file_path = $pki_instance_path + . "/" . $saved_cleanup_file_name; + my @files; + my @directories; + my $pki_start_stop_script_instance_file_path = ""; + my $confirm = "Y"; + +ASK_AGAIN: + if( !$force ) { + $confirm = prompt( "You have elected to remove the instance " + . "installed in " + . "$pki_instance_path.\n" + . "Are you sure (Y/N)? " ); + } + + if( $confirm eq "N" || $confirm eq "n" ) { + return 1; + } elsif( $confirm ne "Y" && $confirm ne "y" ) { + goto ASK_AGAIN; + } + + if( !file_exists( "$source_file_path" ) ) { + print( STDERR + "ERROR: Can't remove instance, " + . "cleanup file does not exist!\n" ); + return $result; + } + + $cleanup->open( "<$source_file_path" ) or die "Could not open file!\n"; + + my $file_mode = "file"; + my @file_split; + + while( <$cleanup> ) + { + my $line = $_; + chomp( $line ); + + if( $line eq $saved_file_marker ) { + $file_mode = "file"; + next; + } + + if( $line eq $saved_directory_marker ) { + $file_mode = "directory"; + next; + } + + if( $file_mode eq "file" ) { + push( @files, $line ); + + @file_split = split( '/', $line ); + my $last = @file_split; + + if( $file_split[$last -1] eq $pki_instance_name ) { + $pki_start_stop_script_instance_file_path = $line; + } + } + + if( $file_mode eq "directory" ) { + push( @directories, $line ); + } + } + + $cleanup->close(); + + if( $pki_start_stop_script_instance_file_path eq "" ) { + print( STDERR + "ERROR: Can't locate start script of " + . "instance to be cleaned up!\n" ); + return $result; + } + + $command = "$pki_start_stop_script_instance_file_path stop"; + + system( "$command" ); + + my $size = @directories; + + print( STDOUT "\n" ); + + if( $size ) { + my $i = 0; + for( $i = 0; $i < $size; $i ++ ) { + print( STDOUT + "Removing dir $directories[$i]\n" ); + remove_directory( $directories[$i] ); + } + } + + $size = @files; + + if( $size ) { + my $i = 0; + for( $i = 0; $i < $size; $i++ ) { + print( STDOUT + "Removing file $files[$i]\n" ); + remove_file( $files[$i] ); + } + } + + print( STDOUT "\n" ); + + $result = 1; + return $result; +} + + +############################################################## +# Main Program +############################################################## + +# no args +# return 1 - success, or +# return 0 - failure +sub main() +{ + chdir( "/tmp" ); + + my $result = 0; + + print( STDOUT + "PKI instance Deletion Utility ...\n\n" ); + + # On Linux/UNIX, insure that this script is being run as "root". + $result = check_for_root_UID(); + if( !$result ) { + usage(); + exit 255; + } + + # Check for a valid number of command-line arguments. + if( $ARGS < 2 ) { + print( STDERR + "$0: Insufficient arguments!\n\n" ); + usage(); + exit 255; + } + + # Parse command-line arguments. + $result = GetOptions( "pki_instance_root=s" => \$pki_instance_root, + "pki_instance_name=s" => \$pki_instance_name, + "force" => \$force ); + + # Always disallow root to be the pki_instance_root. + if( $pki_instance_root eq "/" ) { + print( STDERR + "$0: Don't even think about making root " + . "the pki_instance_root!\n\n" ); + usage(); + exit 255; + } + + # Remove all trailing directory separators ('/') + $pki_instance_root =~ s/\/+$//; + + # Check for valid content of command-line arguments. + if( $pki_instance_root eq "" ) { + print( STDERR + "$0: Must have value for -pki_instance_root!\n\n" ); + usage(); + exit 255; + } + + if( $pki_instance_name eq "" ) { + print( STDERR + "$0: The instance ID of the PKI instance " + . "to be removed is required!\n\n" ); + usage(); + exit 255; + } + + $pki_instance_path = $pki_instance_root . "/" . $pki_instance_name; + + if( !directory_exists( "$pki_instance_path" ) ) { + print( STDERR + "$0: Target directory $pki_instance_path " + . "is not a legal directory.\n\n" ); + usage(); + exit 255; + } + + # Remove the specified instance + $result = remove_instance(); + if( $result != 1 ) { + exit 255; + } + + return $result; +} + + +############################################################## +# PKI Instance Removal +############################################################## + +main(); + +exit 0; + |